diff --git a/.openpublishing.redirection.windows-application-management.json b/.openpublishing.redirection.windows-application-management.json
index 963abce1b0..4b1866c772 100644
--- a/.openpublishing.redirection.windows-application-management.json
+++ b/.openpublishing.redirection.windows-application-management.json
@@ -7,17 +7,22 @@
},
{
"source_path": "windows/application-management/msix-app-packaging-tool.md",
- "redirect_url": "/windows/application-management/apps-in-windows-10",
+ "redirect_url": "/windows/application-management/overview-windows-apps",
"redirect_document_id": false
},
{
"source_path": "windows/application-management/provisioned-apps-windows-client-os.md",
- "redirect_url": "/windows/application-management/apps-in-windows-10",
+ "redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
"redirect_document_id": false
},
{
"source_path": "windows/application-management/system-apps-windows-client-os.md",
- "redirect_url": "/windows/application-management/apps-in-windows-10",
+ "redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/application-management/apps-in-windows-10.md",
+ "redirect_url": "/windows/application-management/overview-windows-apps",
"redirect_document_id": false
}
]
diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 49fd3e464e..06fc754819 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -750,6 +750,11 @@
"redirect_url": "/windows/deployment/windows-10-subscription-activation",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-portal-deploy.md",
+ "redirect_url": "/windows/deployment/do/mcc-enterprise-deploy",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/deployment/windows-autopatch/deploy/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index c2bee40a56..8cbc4ef4cd 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -7369,6 +7369,51 @@
"source_path": "windows/security/identity-protection/credential-guard/credential-guard-requirements.md",
"redirect_url": "/windows/security/identity-protection/credential-guard/index",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
+ "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
+ "redirect_document_id": false
}
]
}
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index e92126877b..4fc8997a6e 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index db32a71242..040eda052e 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index d9607a39ca..b11acc20a7 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index e11cff3d2f..ec381c1293 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index b73a1de7c6..cf6f1e8a76 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index 80ab1602b9..a02875375a 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 5782b539d8..025efdca77 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index ec704a9bfe..24903fe377 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 134f74c8d0..9d78748d49 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index ccec12eeac..c8a8e980b5 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 3cfc4a25e9..42e883d6c6 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index ef08860114..f73f89ee26 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index 960c96a092..0f09ca265b 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 1e7968c63d..e869fd86fb 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 87702c1df2..2b7edc6c54 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 2b4f017846..d87457a13f 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 1160f2c0de..ab350e2a83 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index b472e767b9..9e7f90b5a1 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -7,6 +7,7 @@ ms.date: 06/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index ef9a170375..687c339a07 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index d5f427090d..95ec5914c4 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index dbd81a5419..df85debbf2 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index eb01f08fd1..26f5a073a8 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index eb35d19690..3a2f20cbb5 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index fe8a0c0ac9..09a658895f 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index b67e058e20..18a61bee6e 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 4d6aef98c4..0dd4402170 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 206a2c4dc9..30cddc907d 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index cd1a5e6314..93333681f5 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index c5d16599a9..162c56efbc 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 8fad7898e7..9420f67b5f 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 41a9ea4ae0..4616ec336f 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 5d28a86d19..117cbd91bd 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 018b8c8984..55dc6b0ec7 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 6c7fbb6ee0..1917d768e9 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 580eebc9fd..3fac560518 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 5088aaaf0f..cbaf3e7123 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 16db5ceeae..19e48512a0 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 3b942f6fc7..4a9f49f03b 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index e4abca5b4d..d1d23d6d74 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 1db6409588..02924fde4f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 482e1e96be..0cb31fa36f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 5f5a47faf9..ee4cbe5751 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index baaaf62754..20e131feb1 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index bbba1c8a0a..e2fd60d1e8 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 623e3ef07e..2b08876aed 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 6b89ffcb68..fd90b055be 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index f782e22867..03ba41c6d2 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index ca51b3b8f9..9c19cab0aa 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -8,6 +8,7 @@ ms.date: 05/02/2022
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: how-to
---
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 3e0f982303..cc71b17cb7 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index d23763d372..5b65a93ac1 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 7ef67197bc..6874ebc260 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index 2798d2e4cf..ecb4183907 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 500a015467..f851ca2a85 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 3d480833f0..437b20eeb1 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index 604d4ca93a..acc244a595 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index ec07a9f2a4..ae2e2b56c3 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 077dfe70f2..5b258437f3 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 62b5f49184..7457b54f82 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 995af4a7b2..f5335dd5f0 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index eeeb9120d7..2fdd2ec28d 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 22fab6a3b5..2170f1e25b 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 8892ec9047..fb3a0ccc4e 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index fc381bb0f9..e125255c83 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -10,6 +10,7 @@ ms.date: 09/24/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 4765157af7..c870425b03 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 789d7cc976..d65f100109 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 78d3d9b6a6..b5ca6b5e48 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 0322083aa8..db81d9833c 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index f707da5e2e..6e0950dbf8 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 7eb6a6ee5d..4b844f29a5 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index bca6d21d80..7b2ef74380 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 3d32c1834d..cb7e615a02 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 4ba8df6b30..c391399dd5 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 7f9891e8dc..04e30a407c 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index d586c7d002..6d1dfd402c 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index 88d29b3939..e0bf768b4b 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index f83a6efb92..3f800f36de 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 6249fb1463..61f49df9b6 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index c0d76e731a..02914cd55b 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 2faf00ec3f..478b1f8523 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index 8aeafdf96d..5cfdf7b332 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 7960a6176f..95fad14736 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -7,6 +7,7 @@ ms.reviewer:
author: aczechowski
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index e25a1a1ee7..9df6ba5e4c 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 5f377d48e3..2a86b56aff 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 2c52dce04b..8d1b3b7041 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index 55b03dee3e..2c82592252 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 9c0c3225bb..f2df77ee92 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 523b7ad256..00fd89be8c 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index cd42eb1ffc..0108207c9e 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 6b551661d4..ce0c73c061 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -7,6 +7,7 @@ ms.date: 03/08/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 9482c32049..5c13af93a6 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index 6950c97d05..a19c89cc1c 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 04be00dcbf..1b289057fe 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index ffb10c4b02..059ef24c65 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.topic: article
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index bb3c4874f4..5feee6e5a9 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 74aec2aba2..6ad489e6d0 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index 5678e04c06..8e916937ed 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index bb291a0484..d9769d9ac3 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 66b4aa8372..3cdd99110d 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index c0d29c01af..92b64eb2ec 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index d51f9556a1..ed8de7183d 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
+ms.collection: must-keep
ms.technology: itpro-apps
---
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
deleted file mode 100644
index d8e784b9e5..0000000000
--- a/windows/application-management/apps-in-windows-10.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-title: Overview of apps on Windows client devices
-description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.date: 02/09/2023
-ms.topic: overview
-ms.prod: windows-client
-ms.technology: itpro-apps
-ms.localizationpriority: medium
-ms.collection: tier2
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
----
-
-# Overview of apps on Windows client devices
-
-## Before you begin
-
-As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
-
-In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
-
-- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
-- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
-- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
-
-## App types
-
-There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices.
-
-- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
-
- For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
-
-- **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview).
-
-- **.NET apps**: These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
-
- - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development).
- - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
-
-- **Windows apps**:
-
- > [!TIP]
- > Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
-
- - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
-
- - **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
-
- - **Installed**: Installed as part of the OS.
-
- - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
-
- For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
-
- - **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
-
- For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
-
- - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
-
-- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
-
- Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
-
- Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
-
-## Android™️ apps
-
-Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
-
-For more information, see:
-
-- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
-- [Windows Subsystem for Android developer information](/windows/android/wsa)
-
-## Add or deploy apps to devices
-
-When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
-
-> [!NOTE]
-> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
->Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps.
-
-- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
-
- If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
-
- For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
-
-- **Mobile device management (MDM)**: Use an MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more.
-
- For more information, see:
-
- - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
- - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
-
-- **Microsoft Store**: When you use the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store.
-
- To help manage the Microsoft Store on your devices, you can use policies:
-
- - On premises, you can use Administrative Templates in Group Policy to control access to the Microsoft Store app:
- - `User Configuration\Administrative Templates\Windows Components\Store`
- - `Computer Configuration\Administrative Templates\Windows Components\Store`
- - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app.
-
- For more information, see:
-
- - [Microsoft Store for Business and Education](/microsoft-store/)
- - [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423)
-
-- **MSIX for desktop apps**: MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
-
- To deploy MSIX packages and their apps, you can:
-
- - Use an MDM provider, like Microsoft Intune and Configuration Manager.
- - Use an App Installer. User users double-click an installer file, or select a link on a web page.
- - And more.
-
- For more information, see:
-
- - [What is MSIX?](/windows/msix/overview)
- - [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
-
-- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
-
- If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization.
-
- For more information, see [Windows Package Manager](/windows/package-manager).
-
-- **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
-
- The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
-
- If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
-
- For more information, see:
-
- - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
- - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
-
-- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps.
-
- > [!NOTE]
- > [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
-
- On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
-
- The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
-
- To help manage App-V on your devices, you can use policies:
-
- - On premises, you can use Administrative Templates in Group Policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`).
- - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies.
-
-
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index 30b7ab9bfc..b08cd77d57 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -24,7 +24,7 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Overview of apps in Windows
- url: apps-in-windows-10.md
+ url: overview-windows-apps.md
- text: Add or hide Windows features
url: add-apps-and-features.md
- text: Sideload LOB apps
diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md
new file mode 100644
index 0000000000..135c557b56
--- /dev/null
+++ b/windows/application-management/overview-windows-apps.md
@@ -0,0 +1,200 @@
+---
+title: Overview of apps on Windows client devices
+description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps.
+author: aczechowski
+ms.author: aaroncz
+manager: aaroncz
+ms.date: 08/28/2023
+ms.topic: overview
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
+---
+
+# Overview of apps on Windows client devices
+
+There are different types of apps that can run on your Windows client devices. This article provides an overview of some of the common apps used on Windows devices. It also explains the basics of how to install these apps.
+
+## Windows app types
+
+### Microsoft 365 apps
+
+These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
+
+For more information on the Microsoft 365 license options, and what you get, see [Find the right Microsoft 365 enterprise plan for your organization](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing).
+
+For more information on deploying Microsoft 365 apps, see the [Deployment guide for Microsoft 365 Apps](/DeployOffice/deployment-guide-microsoft-365-apps).
+
+### Power Apps
+
+These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers.
+
+For more information, see [What is Power Apps?](/power-apps/powerapps-overview).
+
+### .NET apps
+
+These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
+
+- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF application development](/dotnet/desktop/wpf/app-development).
+
+- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
+
+### Windows apps
+
+> [!TIP]
+> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
+
+- **Apps**: All apps installed in the protected directory `C:\Program Files\WindowsApps`. There are two classes of these apps:
+
+ - **Installed**: Installed as part of the OS.
+
+ - **Provisioned**: Installed the first time you sign in with a new user account.
+
+ > [!TIP]
+ > To get a list of all provisioned apps, use Windows PowerShell:
+ >
+ > ```powershell
+ > Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+ > ```
+ >
+ > The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
+
+- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
+
+ For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
+
+- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
+
+ For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Top 11 things you can do to make your app great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
+
+- **System apps**: Apps installed in the system root directory `C:\Windows\`. These apps are part of the Windows OS.
+
+ > [!TIP]
+ > To get a list of all the system apps, use Windows PowerShell:
+ >
+ > ```powershell
+ > `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+ > ```
+ >
+ > The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
+
+### Web apps
+
+Web apps and progressive web apps (PWA) run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have network access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
+
+Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a web app](/visualstudio/get-started/csharp/tutorial-aspnet-core). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
+
+When you use an MDM provider like Microsoft Intune, you can create shortcuts to your web apps and progressive web apps on devices. For more information, see [Add web apps to Microsoft Intune](/mem/intune/apps/web-app).
+
+## Android™️ apps
+
+Starting with Windows 11, you can install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps.
+
+For more information, see the following articles:
+
+- [Apps from the Amazon Appstore](https://support.microsoft.com/windows/apps-from-the-amazon-appstore-abed2335-81bf-490a-92e5-fe01b66e5c48)
+
+- [Windows Subsystem for Android developer information](/windows/android/wsa)
+
+## Add or deploy apps to devices
+
+When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
+
+### Manually install
+
+On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
+
+If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
+
+For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
+
+### Management service
+
+Use an MDM provider like Microsoft Intune, or an on-premises solution like Configuration Manager. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, or add Store apps.
+
+For more information, see:
+
+- [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
+- [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
+
+### Microsoft Store
+
+When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store.
+
+> [!NOTE]
+> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
+>
+> For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
+
+To help manage the Microsoft Store on your devices, you can use policies:
+
+- On premises, you can use administrative templates in group policy to control access to the Microsoft Store app:
+ - `User Configuration\Administrative Templates\Windows Components\Store`
+ - `Computer Configuration\Administrative Templates\Windows Components\Store`
+
+- Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app.
+
+### MSIX for desktop apps
+
+MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
+
+To deploy MSIX packages and their apps, you can:
+
+- Use a management service, like Microsoft Intune and Configuration Manager.
+- Use an App Installer. User users double-click an installer file, or select a link on a web page.
+
+For more information, see the following articles:
+
+- [What is MSIX?](/windows/msix/overview)
+- [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
+
+### Windows Package Manager
+
+Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from services like the Microsoft Store or GitHub, and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
+
+If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option.
+
+For more information, see [Windows Package Manager](/windows/package-manager).
+
+### Azure Virtual desktop with MSIX app attach
+
+With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
+
+The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
+
+For more information, see the following articles:
+
+- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
+
+### Application Virtualization (App-V)
+
+App-V allows Win32 apps to be used as virtual apps.
+
+> [!NOTE]
+> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
+
+On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
+
+The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
+
+## Manage apps
+
+To help manage your devices, and help manage apps on your devices, use a management service like Microsoft Intune and Configuration Manager. For more information, see the following articles:
+
+- [Overview of endpoint management](/mem/endpoint-manager-overview)
+- [Manage your apps and app data in Microsoft Intune](/mem/intune/fundamentals/manage-apps)
+- [Introduction to application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
+
+## Application compatibility
+
+Microsoft is committed to making sure your business-critical apps work on the latest versions of Windows. For more information, see the following articles:
+
+- [Compatibility for Windows 11](/windows/compatibility/windows-11/)
+- [FastTrack App Assure program](/windows/compatibility/app-assure)
diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml
index cc596076a4..be08bb1e0f 100644
--- a/windows/application-management/toc.yml
+++ b/windows/application-management/toc.yml
@@ -4,7 +4,7 @@ items:
- name: Application management
items:
- name: Overview of apps in Windows
- href: apps-in-windows-10.md
+ href: overview-windows-apps.md
- name: Add or hide Windows features
href: add-apps-and-features.md
- name: Sideload line of business (LOB) apps
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index e83331a476..5c867f498d 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -51,7 +51,7 @@ First, you create a default user profile with the customizations that you want,
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
-1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/overview-windows-apps).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 3ec573368b..cf9c04b176 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -25,11 +25,11 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- - [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
- [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
+ - [AllowOptionalContent](#allowoptionalcontent)
- [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup)
- [BranchReadinessLevel](#branchreadinesslevel)
- [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays)
@@ -107,65 +107,6 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
-
-### AllowOptionalContent
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
-```
-
-
-
-
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Device doesn't receive optional updates. |
-| 1 | Device receives optional updates and user can install from WU Settings page. |
-| 2 | Device receives optional updates and install them as soon as they're available. |
-
-
-
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AllowOptionalContent |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-
-
-
-
-
-
-
-
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@@ -335,6 +276,66 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
+
+### AllowOptionalContent
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
+```
+
+
+
+
+This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Don't receive optional updates. |
+| 1 | Automatically receive optional updates (including CFRs). |
+| 2 | Automatically receive optional updates. |
+| 3 | Users can select which optional updates to receive. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowOptionalContent |
+| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+
+
+
+
+
+
+
+
### AutomaticMaintenanceWakeUp
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index f6909fdc31..9c048c2cf5 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Administering UE-V with Windows PowerShell and WMI
description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 02bb612d1b..627039a508 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -3,7 +3,9 @@ title: Administering UE-V
description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index d0d7b3db53..21e3edd00d 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -3,7 +3,9 @@ title: Application Template Schema Reference for UE-V
description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 28f57b767c..0104526a2b 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -3,7 +3,9 @@ title: Changing the Frequency of UE-V Scheduled Tasks
description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index f18438c0c3..44e725599f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -3,7 +3,9 @@ title: Configuring UE-V with Group Policy Objects
description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index efd9497722..30bf50f542 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -3,7 +3,9 @@ title: Configuring UE-V with Microsoft Configuration Manager
description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 04a273fdd4..1ab8b30874 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -3,7 +3,9 @@ title: Deploy required UE-V features
description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 76987da15a..65523c41b0 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -3,7 +3,9 @@ title: Use UE-V with custom applications
description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index 7b140aa669..c8732241c7 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -3,7 +3,9 @@ title: User Experience Virtualization for Windows 10, version 1607
description: Overview of User Experience Virtualization for Windows 10, version 1607
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 05/02/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 32db93baee..7bf8cae820 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -3,7 +3,9 @@ title: Get Started with UE-V
description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 03/08/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 34a9229f65..ec137a5b65 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -3,7 +3,9 @@ title: Manage Administrative Backup and Restore in UE-V
description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 51a1e724fe..419e2f3379 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -3,7 +3,9 @@ title: Manage Configurations for UE-V
description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
index 78252752e3..fd0c9e9aac 100644
--- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM
description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index 079e034324..9be69be554 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI
description: Managing the UE-V service and packages with Windows PowerShell and WMI
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 27fcbea39e..37a5be45ad 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -3,7 +3,9 @@ title: Migrating UE-V settings packages
description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index f498b6600b..3ed4ab1b43 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -3,7 +3,9 @@ title: Prepare a UE-V Deployment
description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 42571c453b..995f79f988 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -3,7 +3,9 @@ title: User Experience Virtualization (UE-V) Release Notes
description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index 2bde66cad7..0f2220b76e 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -3,7 +3,9 @@ title: Security Considerations for UE-V
description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index bff2257777..17d2bba46f 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -3,7 +3,9 @@ title: Sync Methods for UE-V
description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index a080d46d6e..6cae6d66bf 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -3,7 +3,9 @@ title: Sync Trigger Events for UE-V
description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index a28147ecb1..e06e33e471 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -3,7 +3,9 @@ title: Synchronizing Microsoft Office with UE-V
description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index c4f15d65ce..aa4bde4500 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -3,7 +3,9 @@ title: Technical Reference for UE-V
description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 0f96a38a1b..e27f2c92a6 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -3,7 +3,9 @@ title: Troubleshooting UE-V
description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index 495602a3d7..12ac8cd14c 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -3,7 +3,9 @@ title: Upgrade to UE-V for Windows 10
description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
index 4d2e9541ec..85bc1b7d3c 100644
--- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
+++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
@@ -3,7 +3,9 @@ title: Using UE-V with Application Virtualization applications
description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V).
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index 147230cb37..fa2083f4ad 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -3,7 +3,9 @@ title: What's New in UE-V for Windows 10, version 1607
description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
index 1c94036b4c..8fca3e87fa 100644
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -3,7 +3,9 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator
description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
author: aczechowski
ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
ms.date: 04/19/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 3d883a1d2b..0b571541ae 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 2f26418dde..1678247efe 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index b1c2aad0d0..9af5c203a8 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 17322a4076..0e3964d49e 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index abcc63d261..97e8ca8ceb 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 10/02/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 4d48caa562..f9f8b16187 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 10/02/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index d39280a5fe..4ea08e6e5b 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 8a15c48f5b..b05ce84a8f 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md
index 6788558d33..32db3b13f7 100644
--- a/windows/configuration/wcd/wcd-changes.md
+++ b/windows/configuration/wcd/wcd-changes.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 3bb2b66098..d5cf3986fb 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 0434a57ba2..dc3d949232 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 88daab22bd..e66ad72ff5 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 9c1e5b2b70..8e9f623688 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index b7d4eee9d8..3c88652ff7 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/21/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index f93fe468a8..1820eebc0a 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index d47c6a0d97..eb07550f1f 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index fd933e1cb7..1f4744f0a1 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 4d5c9d8f2f..8c9cbe5372 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -6,7 +6,8 @@ author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index 218f3f2102..f5169b0cee 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 696a33078b..99b9f9fc47 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index 3bfedb1fc5..1310f33c30 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index d17727272b..1c2b161ffa 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 08/08/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index d59d40f6a3..05670e0935 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index e838a329d8..0fb6073692 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 12/18/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 600809d119..addcf27aad 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 10/02/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index f03737f546..a2135a483b 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 94fe50a11b..bbc00f2648 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index a371f05731..bf3aeccaf3 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index f12104c539..3e2ac6dce1 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 71560b301f..eb78b8e3fe 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index f8af613b82..61c6c77b95 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index b89c45755d..c6ab55142e 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 902475d894..449ba3ba75 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index 65d872fe1b..13962db09d 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -6,7 +6,8 @@ author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index d523106679..e79eb9f7f3 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 80275970c1..fbfb42be13 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 10/16/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 5ce6d3c4b1..1e5fe77243 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 03/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 53ff39614a..b8d84f5b0c 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 44ae8f59c7..55c8fcc8f3 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index b04f726240..6838b63730 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index d9a2c856ff..397c14a4f5 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
manager: aaroncz
ms.technology: itpro-configure
ms.date: 12/31/2017
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 92dd641460..cd0bdc4208 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 13b9e9a810..9934c78fd0 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index 1001238225..2fd7a6d426 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 09/06/2017
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 320b7fa6a5..1bb981193e 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -6,7 +6,8 @@ author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 6bc7634cfb..2c03844e3f 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 98f1fd3fd3..2e3a68fe9f 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 4f40efa1fb..5889dc2d7e 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 8dbef10171..9869da77b4 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index a7eafa43c9..211d170ce0 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index 1a414d570f..f69695122b 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index e37dc898a4..d5e531d913 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index a44a635cf6..6a2da109c1 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index b36b0cd090..8e21def9dd 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 8c1f2f6053..3fe32ffa9b 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index deed6bd549..a72e0b1d1d 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -7,7 +7,7 @@ author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: article
-ms.date: 07/26/2023
+ms.date: 08/22/2023
ms.technology: itpro-deploy
appliesto:
- ✅ Windows 11
@@ -1272,3 +1272,9 @@ The **boot.wim** that is part of Windows installation media isn't supported for
## Windows Server 2012 R2
This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2).
+
+## Related articles
+
+- [Create bootable Windows PE media: Update the Windows PE add-on for the Windows ADK](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#update-the-windows-pe-add-on-for-the-windows-adk)
+- [Update Windows installation media with Dynamic Update: Update WinPE](/windows/deployment/update/media-dynamic-update#update-winpe)
+- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d?preview=true#updatebootable5025885)
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index 1697bfc141..136f9e7998 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -38,13 +38,11 @@
- name: Requirements
href: mcc-enterprise-prerequisites.md
- name: Deploy Microsoft Connected Cache
- href: mcc-enterprise-portal-deploy.md
+ href: mcc-enterprise-deploy.md
- name: Update or uninstall MCC
href: mcc-enterprise-update-uninstall.md
- name: Appendix
href: mcc-enterprise-appendix.md
- - name: MCC for Enterprise and Education (early preview)
- href: mcc-enterprise-deploy.md
- name: MCC for ISPs
items:
- name: MCC for ISPs Overview
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index 20462921af..1e998c0da5 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -6,10 +6,12 @@ ms.prod: windows-client
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
---
# Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index cdcf5c1b5d..53d2940cc1 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -1,5 +1,5 @@
---
-title: MCC for Enterprise and Education (early preview)
+title: Deploying your cache node
manager: aaroncz
description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
@@ -12,7 +12,7 @@ ms.technology: itpro-updates
ms.collection: tier3
---
-# Deploying your enterprise cache node
+# Deploying your cache node
**Applies to**
@@ -130,7 +130,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
- Downloads, installs, and deploys EFLOW
- Enables Microsoft Update so EFLOW can stay up to date
- Creates a virtual machine
-- Enables the firewall and opens ports 80 for inbound and outbound traffic. Port 80 is used by MCC.
+- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
- Configures Connected Cache tuning settings.
- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
- Deploys the MCC container to server.
diff --git a/windows/deployment/do/mcc-enterprise-portal-deploy.md b/windows/deployment/do/mcc-enterprise-portal-deploy.md
deleted file mode 100644
index eea23e3bad..0000000000
--- a/windows/deployment/do/mcc-enterprise-portal-deploy.md
+++ /dev/null
@@ -1,145 +0,0 @@
----
-title: Deploying your cache node
-manager: aaroncz
-description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
-ms.prod: windows-client
-ms.author: carmenf
-author: cmknox
-ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
----
-
-# Deploying your cache node
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-## Create the Microsoft Connected Cache resource
-
-1. Navigate to Azure portal by using the [following link](https://aka.ms/mcc-enterprise-preview):
- > [!IMPORTANT]
- > You must access Azure portal using this link (https://aka.ms/mcc-enterprise-preview) in order to find the correct Microsoft Connected Cache resource.
-
- 
-
-1. In the search bar by **Get Started**, search for `Microsoft Connected Cache for Enterprise`.
- 
-1. Select **Create** to create your Microsoft Connected Cache resource. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
-1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a “Deployment complete” page as below. Select **Go to resource**.
-
-
-## Create, provision, and deploy the cache node in Azure portal
-
-To create, provision, and deploy the cache node in Azure portal, follow these steps:
-1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise (preview) resource.
-1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**.
-1. Provide a name for your cache node and select **Create** to create your cache node.
-1. You may need to refresh to see the cache node. Select the cache node to configure it.
-1. Fill out the Basics and Storage fields. Enter the cache drive size in GB - this has a minimum size of 50 GB.
-
- 
-Once complete, select **Save** at the top of the page and select **Provision server**.
-1. To deploy your cache node, download the installer by selecting **Download provisioning package**.
-1. Run the provided provisioning script - note that this is unique to each cache node.
-
-## Verify proper functioning MCC server
-
-#### Verify client side
-
-Connect to the EFLOW VM and check if MCC is properly running:
-
-1. Open PowerShell as an Administrator.
-2. Enter the following commands:
-
- ```powershell
- Connect-EflowVm
- sudo -s
- iotedge list
- ```
-
- :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
-
-#### Verify server side
-
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server.
-
-```powershell
-wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
-```
-
-A successful test result will display a status code of 200 along with additional information.
-
-:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png":::
-
- :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png":::
-
-Similarly, enter the following URL from a browser in the network:
-
-`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com`
-
-If the test fails, see the [common issues](#common-issues) section for more information.
-
-### Monitoring your metrics
-
-To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal.
-
-:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab.":::
-
-You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar.
-
-If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured.
-
-
-### Intune (or other management software) configuration for MCC
-
-For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
-
-:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names.":::
-
-## Common Issues
-
-#### PowerShell issues
-
-If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.`
-
-1. Ensure you're running Windows PowerShell version 5.x.
-
-1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*.
-
-1. Ensure you have Hyper-V enabled:
-
- **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
-
- **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
-
-#### Verify Running MCC Container
-
-Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
-
-```bash
-Connect-EflowVm
-sudo iotedge list
-```
-
-:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
-
-If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
-
-```bash
-sudo journalctl -u iotedge -f
-```
-
-This command will provide the current status of the starting, stopping of a container, or the container pull and start.
-
-:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
-
-
-> [!NOTE]
-> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index d79c144a59..410155b347 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -6,11 +6,14 @@ ms.prod: windows-client
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
---
+
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index b7bea13484..a4d800235c 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -1,15 +1,17 @@
---
title: Cache node configuration
manager: aaroncz
-description: Configuring a cache node on Azure portal
+description: Configuring a cache node on Azure portal.
ms.prod: windows-client
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
+ms.topic: reference
ms.date: 12/31/2017
ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
---
# Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index ab13ed3b58..5a3dcbd4fb 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -6,10 +6,12 @@ ms.prod: windows-client
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
---
# Update or uninstall your cache node
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 2103cab516..2735892b16 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -276,9 +276,7 @@ Starting in Windows 10, version 1803, allows you to delay the use of an HTTP sou
MDM Setting: **DelayCacheServerFallbackForeground**
-Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
-
-By default this policy isn't set. So,
+Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
### Delay Background Download Cache Server Fallback (in secs)
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index a0f9346acc..72d37a8849 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -2,20 +2,23 @@
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 08/21/2021
---
# Windows Updates using forward and reverse differentials
-Windows 10 monthly quality updates are cumulative, containing all previously
+Windows monthly quality updates are cumulative, containing all previously
released fixes to ensure consistency and simplicity. For an operating system
-platform like Windows 10, which stays in support for multiple years, the size of
+platform like Windows, which stays in support for multiple years, the size of
monthly quality updates can quickly grow large, thus directly impacting network
bandwidth consumption.
@@ -23,8 +26,8 @@ Today, this problem is addressed by using express downloads, where differential
downloads for every changed file in the update are generated based on selected
historical revisions plus the base version. In this paper, we introduce a new
technique to build compact software update packages that are applicable to any
-revision of the base version, and then describe how Windows 10 quality updates
-uses this technique.
+revision of the base version, and then describe how Windows quality updates
+use this technique.
## General Terms
@@ -65,45 +68,44 @@ numerous advantages:
- Efficient to install
- Redistributable
-Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
+Historically, download sizes of Windows quality updates (Windows 10, version 1803 and older supported versions of Windows 10) were optimized by using express download. Express download is optimized such that updating Windows systems download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device applying express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
-The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
+The flip side of express download is that the size of PSF files can be large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they're unable to use express updates to keep their fleet of devices running Windows up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it's only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
-In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads.
+In the following sections, we describe how quality updates use this technique based on forward and reverse differentials for newer releases of Windows and Windows Server to overcome the challenges with express downloads.
## High-level Design
### Update packaging
-Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
+Windows quality update packages contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices have an identical payload. Update package metadata, content manifests, and forward and reverse differentials are packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
-There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
+There can be cases where new files are added to the system during servicing. These files won't have RTM baselines, thus forward and reverse differentials can't be used. In these scenarios, null differentials are used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows quality update installer:
### Hydration and installation
-Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process.
+Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure hydrates the full files during preinstallation and then proceeds with the usual installation process.
-Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update:
+Below is a high-level sequence of activities that the component servicing infrastructure runs in a transaction to complete installation of the update:
- Identify all files that are required to install the update.
- Hydrate each of necessary files using current version (VN) of the file, reverse differential (VN--->RTM) of the file back to quality update RTM/base version and forward differential (VRTM--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files.
-- Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder).
+- Stage the hydrated files (full file), forward differentials (under `f` folder) and reverse differentials (under `r` folder) or null compressed files (under `n` folder) in the component store (%windir%\\WinSxS folder).
- Resolve any dependencies and install components.
- Clean up older state (VN-1); the previous state VN is retained for uninstallation and restoration or repair.
### **Resilient Hydration**
-To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (“automatic corruption repair”) or on demand (“manual corruption repair”) using an online or local repair source. This service will continue to offer the ability to repair and recover content for
-hydration and successfully install an update, if needed.
+To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (automatic corruption repair) or on demand (manual corruption repair) using an online or local repair source. This service will continue to offer the ability to repair and recover content for hydration and successfully install an update, if needed.
-When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
+When corruption is detected during update operations, automatic corruption repair starts as usual and uses the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
-Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair.
+Corruption repair uses the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine are set. When automatic corruption repair runs, it scans hydrated files using the manifest and differential files using the flags. If the differential can't be found or verified, it's added to the list of corruptions to repair.
### Lazy automatic corruption repair
-“Lazy automatic corruption repair” runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
+"Lazy automatic corruption repair" runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index c77bd7cf97..a5732df6ef 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,14 +1,19 @@
---
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.date: 06/07/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
-ms.reviewer: mstewart
-ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 06/07/2023
---
# How to check Windows release health
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 0f0a693609..89a981ff58 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -1,28 +1,28 @@
---
title: Create a deployment plan
-description: Devise the number of deployment rings you need and how you want to populate them
+description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Create a deployment plan
-**Applies to**
-
-- Windows 10
-- Windows 11
-
A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
-At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
+At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
A common ring structure uses three deployment groups:
@@ -31,7 +31,7 @@ A common ring structure uses three deployment groups:
- Broad: Wide deployment
> [!NOTE]
-> Organizations often use different names for their “rings," for example:
+> Organizations often use different names for their rings, for example:
> - First > Fast > Broad
> - Canaries > Early Adopters > Users
> - Preview > Broad > Critical
@@ -45,8 +45,8 @@ There are no definite rules for exactly how many rings to have for your deployme
There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
-- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution.
-- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring.
+- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
@@ -84,7 +84,7 @@ Analytics can help with defining a good Limited ring of representative devices a
### Who goes in the Limited ring?
-The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
+The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
During your pilot and validate phases, you should focus on the following activities:
@@ -93,11 +93,11 @@ During your pilot and validate phases, you should focus on the following activit
- Assess and act if issues are encountered.
- Move forward unless blocked.
-When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
+When you deploy to the Limited ring, you'll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
## Broad deployment
-Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network.
+Once the devices in the Limited ring have had a sufficient stabilization period, it's time for broad deployment across the network.
### Who goes in the Broad deployment ring?
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 15d3739ce1..39d270bf63 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -1,19 +1,24 @@
---
-title: Deploy drivers and firmware updates with Windows Update for Business deployment service.
-description: Use Windows Update for Business deployment service to deploy driver and firmware updates.
+title: Deploy drivers and firmware updates
+titleSuffix: Windows Update for Business deployment service
+description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/22/2023
---
# Deploy drivers and firmware updates with Windows Update for Business deployment service
-***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index 14b6fec38a..a7e5e6a58f 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -1,20 +1,24 @@
---
-title: Deploy expedited updates with Windows Update for Business deployment service
-description: Use Windows Update for Business deployment service to deploy expedited updates.
+title: Deploy expedited updates
+titleSuffix: Windows Update for Business deployment service
+description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 02/14/2023
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 08/29/2023
---
# Deploy expedited updates with Windows Update for Business deployment service
-
-***(Applies to: Windows 11 & Windows 10)***
In this article, you will:
> [!div class="checklist"]
@@ -47,13 +51,13 @@ All of the [prerequisites for the Windows Update for Business deployment service
## List catalog entries for expedited updates
-Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates.
+Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited.
```msgraph-interactive
-GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3
+GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1
```
-The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update:
+The following truncated response displays a **Catalog ID** of `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update:
```json
{
@@ -61,21 +65,119 @@ The following truncated response displays a **Catalog ID** of `693fafea03c24cca
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
- "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
- "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later",
+ "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
+ "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
"deployableUntilDateTime": null,
- "releaseDateTime": "2023-01-10T00:00:00Z",
+ "releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": true,
- "qualityUpdateClassification": "security"
- },
- ...
+ "qualityUpdateClassification": "security",
+ "catalogName": "2023-08 Cumulative Update for Windows 10 and later",
+ "shortName": "2023.08 B",
+ "qualityUpdateCadence": "monthly",
+ "cveSeverityInformation": {
+ "maxSeverity": "critical",
+ "maxBaseScore": 9.8,
+ "exploitedCves@odata.context": "https://graph.microsoft.com/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
+ "exploitedCves": [
+ {
+ "number": "ADV230003",
+ "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
+ },
+ {
+ "number": "CVE-2023-38180",
+ "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
+ }
+ ]
+ }
+ }
]
}
```
+The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers.
+
+Use the following to display the product revision information for the most recent quality update:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1
+```
+
+
+The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2:
+
+```json
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries(microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions())",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
+ "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
+ "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
+ "deployableUntilDateTime": null,
+ "releaseDateTime": "2023-08-08T00:00:00Z",
+ "isExpeditable": true,
+ "qualityUpdateClassification": "security",
+ "catalogName": "2023-08 Cumulative Update for Windows 10 and later",
+ "shortName": "2023.08 B",
+ "qualityUpdateCadence": "monthly",
+ "cveSeverityInformation": {
+ "maxSeverity": "critical",
+ "maxBaseScore": 9.8,
+ "exploitedCves@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
+ "exploitedCves": [
+ {
+ "number": "ADV230003",
+ "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
+ },
+ {
+ "number": "CVE-2023-38180",
+ "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
+ }
+ ]
+ },
+ "productRevisions@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions",
+ "productRevisions": [
+ {
+ "id": "10.0.19045.3324",
+ "displayName": "Windows 10, version 22H2, build 19045.3324",
+ "releaseDateTime": "2023-08-08T00:00:00Z",
+ "version": "22H2",
+ "product": "Windows 10",
+ "osBuild": {
+ "majorVersion": 10,
+ "minorVersion": 0,
+ "buildNumber": 19045,
+ "updateBuildRevision": 3324
+ },
+ "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.19045.3324')/knowledgeBaseArticle/$entity",
+ "knowledgeBaseArticle": {
+ "id": "KB5029244",
+ "url": "https://support.microsoft.com/help/5029244"
+ }
+ },
+ {
+ "id": "10.0.22621.2134",
+ "displayName": "Windows 11, version 22H2, build 22621.2134",
+ "releaseDateTime": "2023-08-08T00:00:00Z",
+ "version": "22H2",
+ "product": "Windows 11",
+ "osBuild": {
+ "majorVersion": 10,
+ "minorVersion": 0,
+ "buildNumber": 22621,
+ "updateBuildRevision": 2134
+ },
+ "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.22621.2134')/knowledgeBaseArticle/$entity",
+ "knowledgeBaseArticle": {
+ "id": "KB5029263",
+ "url": "https://support.microsoft.com/help/5029263"
+ }
+ },
+```
+
## Create a deployment
-When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body.
+When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update with catalog entry ID `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5`, and defines the `expedite` and `userExperience` deployment options in the request body.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
@@ -87,7 +189,7 @@ content-type: application/json
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
- "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432"
+ "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5"
}
},
"settings": {
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index b1a289befa..f9ba6dd147 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -1,20 +1,24 @@
---
-title: Deploy feature updates with Windows Update for Business deployment service.
-description: Use Windows Update for Business deployment service to deploy feature updates.
+title: Deploy feature updates
+titleSuffix: Windows Update for Business deployment service
+description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 02/14/2023
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 08/29/2023
---
# Deploy feature updates with Windows Update for Business deployment service
-***(Applies to: Windows 11 & Windows 10)***
-
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will:
@@ -82,7 +86,8 @@ The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4b
"displayName": "Windows 11, version 22H2",
"deployableUntilDateTime": "2025-10-14T00:00:00Z",
"releaseDateTime": "2022-09-20T00:00:00Z",
- "version": "Windows 11, version 22H2"
+ "version": "Windows 11, version 22H2",
+ "buildNumber": "22621"
}
]
}
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4b8e52781b..58d36aae43 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -1,20 +1,24 @@
---
-title: Windows Update for Business deployment service
-description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
+title: Overview of the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: overview
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 02/14/2023
---
# Windows Update for Business deployment service
-***(Applies to: Windows 11 & Windows 10)***
-
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications.
Windows Update for Business product family has three elements:
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index ad489103a6..de71ad0223 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -1,20 +1,24 @@
---
-title: Prerequisites for the Windows Update for Business deployment service
-description: Prerequisites for using the Windows Update for Business deployment service.
+title: Prerequisites for the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
ms.technology: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 02/14/2023
---
# Windows Update for Business deployment service prerequisites
-***(Applies to: Windows 11 & Windows 10)***
-
Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
## Azure and Azure Active Directory
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index f6be148c37..2d4052bbba 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -1,22 +1,24 @@
---
-title: Troubleshoot the Windows Update for Business deployment service
-description: Solutions to common problems with the service
+title: Troubleshoot the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.topic: troubleshooting
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier1
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 02/14/2023
---
-
-
# Troubleshoot the Windows Update for Business deployment service
-***(Applies to: Windows 11 & Windows 10)***
-
This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json).
## The device isn't receiving an update that I deployed
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 4a20d28511..6a83bab027 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,23 +1,21 @@
---
title: Evaluate infrastructure and tools
-description: Steps to make sure your infrastructure is ready to deploy updates
+description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Evaluate infrastructure and tools
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 1385930bef..41a21d5d7c 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,20 +1,21 @@
---
-title: Best practices - deploy feature updates for user-initiated installations
+title: Best practices - user-initiated feature update installation
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-ms.date: 07/10/2018
-manager: aaroncz
-ms.topic: article
ms.technology: itpro-updates
+ms.topic: best-practice
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 10
+- ✅ Microsoft Configuration Manager
+ms.date: 07/10/2018
---
# Deploy feature updates for user-initiated installations (during a fixed service window)
-**Applies to**: Windows 10
-
Use the following steps to deploy a feature update for a user-initiated installation.
## Get ready to deploy feature updates
@@ -22,7 +23,7 @@ Use the following steps to deploy a feature update for a user-initiated installa
### Step 1: Enable Peer Cache
Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
-[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
+[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
@@ -35,7 +36,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
Priority=Normal
```
-You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
+You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
```
#Parameters
@@ -80,7 +81,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
```
>[!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
+> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates in a user-initiated installation
@@ -89,77 +90,73 @@ The following sections provide the steps to manually deploy a feature update.
### Step 1: Specify search criteria for feature updates
There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy.
-1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
+1. In the Configuration Manager console, select **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed.
3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
- - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
+ - In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
+ - Select **Add Criteria**, select the criteria that you want to use to filter software updates, select **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
4. Save the search for future use.
### Step 2: Download the content for the feature update(s)
-Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
+Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
-2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
+2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right-click, and select **Download**.
The **Download Software Updates Wizard** opens.
3. On the **Deployment Package** page, configure the following settings:
**Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
- - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
+ - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters.
- **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
- - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
+ - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
- >[!NOTE]
- >The deployment package source location that you specify cannot be used by another software deployment package.
+ > [!IMPORTANT]
+ > - The deployment package source location that you specify cannot be used by another software deployment package.
+ > - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
+ > - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
- >[!IMPORTANT]
- >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
-
- >[!IMPORTANT]
- >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
-
- Click **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
+ Select **Next**.
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
- >The Distribution Points page is available only when you create a new software update deployment package.
+ > The Distribution Points page is available only when you create a new software update deployment package.
5. On the **Distribution Settings** page, specify the following settings:
- - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+ - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority.
+ - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
- **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
+ - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default.
- For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
- Click **Next**.
+ For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
+ Select **Next**.
6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
- **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
- - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
+ - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access.
>[!NOTE]
- >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
+ > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
- Click **Next**.
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**.
+ Select **Next**.
+7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
+8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates.
+9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**.
#### To monitor content status
-1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
-2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
+1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console.
+2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**.
3. Select the feature update package that you previously identified to download the feature updates.
-4. On the **Home** tab, in the Content group, click **View Status**.
+4. On the **Home** tab, in the Content group, select **View Status**.
### Step 3: Deploy the feature update(s)
After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
-1. In the Configuration Manager console, click **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
-3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
+1. In the Configuration Manager console, select **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**.
+3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right select, and select **Deploy**.
The **Deploy Software Updates Wizard** opens.
4. On the General page, configure the following settings:
@@ -178,7 +175,7 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured.
- - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**.
+ - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that don't require any software updates in the deployment aren't started. By default, this setting isn't enabled and is available only when **Type of deployment** is set to **Required**.
>[!WARNING]
>Before you can use this option, computers and networks must be configured for Wake On LAN.
@@ -189,7 +186,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
- **Software available time**: Select **Specific time** to specify when the software updates will be available to clients:
- - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded.
+ - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment isn't available for installation until after the specified date and time are reached and the required content has been downloaded.
- **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
@@ -198,7 +195,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window.
- Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated.
+ Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients start downloading the content based on a randomized time. The feature update won't be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation starts immediately when initiated.
7. On the User Experience page, configure the following settings:
- **User notifications**: Specify **Display in Software Center and show all notifications**.
@@ -214,25 +211,25 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
- **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
-8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
+8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
>[!NOTE]
>You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace.
9. On the Download Settings page, configure the following settings:
- Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
+ - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates isn't available on a preferred distribution point.
+ - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
+ - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates aren't available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
>[!NOTE]
- >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
-10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
-11. Click **Next** to deploy the feature update(s).
+ >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
+10. On the Summary page, review the settings. To save the settings to a deployment template, select **Save As Template**, enter a name and select the settings that you want to include in the template, and then select **Save**. To change a configured setting, select the associated wizard page and change the setting.
+11. Select **Next** to deploy the feature update(s).
### Step 4: Monitor the deployment status
After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
-2. Click the software update group or software update for which you want to monitor the deployment status.
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
+2. Select the software update group or software update for which you want to monitor the deployment status.
+3. On the **Home** tab, in the **Deployment** group, select **View Status**.
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 2978105443..972dd73a69 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,21 +1,26 @@
---
-title: Make FoD and language packs available for WSUS/Configuration Manager
-description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
+title: FoD and language packs for WSUS and Configuration Manager
+description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
-ms.date: 03/13/2019
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Configuration Manager
+- ✅ WSUS
+ms.date: 03/13/2019
---
+
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
-**Applies to**
+This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows.
-- Windows 10
-- Windows 11
+## Version information for Features on Demand and language packs
In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
@@ -23,10 +28,15 @@ As of Windows 10 version 1709, you can't use Windows Server Update Services (WSU
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
-In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
+In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
-For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
+For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
+
+## More resources
+
+- [WSUS documentation](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
+- [Configuration Manager documentation](/mem/configmgr/)
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index bb423208bf..5dc206f1aa 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,23 +1,22 @@
---
title: Windows client updates, channels, and tools
-description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
+description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Windows client updates, channels, and tools
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+This article provides a brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them.
## How Windows updates work
There are four phases to the Windows update process:
@@ -26,18 +25,18 @@ There are four phases to the Windows update process:
administrator. This process is invisible to the user.
- **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple
sequential phases.
-- **Install:** After the update is downloaded, depending on the device’s Windows Update settings, the update is installed on the system.
+- **Install:** After the update is downloaded, depending on the device's Windows Update settings, the update is installed on the system.
- **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous
version of the software.
## Types of updates
-We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
+We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
-- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
-- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
-- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
-- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
+- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage.
+- **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
+- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates aren't necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
+- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they're installed or not.
- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@@ -50,13 +49,14 @@ The first step of controlling when and how devices install updates is assigning
### General Availability Channel
-In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
+In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
### Windows Insider Program for Business
-Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
+Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are options within the Windows Insider Program for Business channel:
+- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Release Preview
@@ -73,12 +73,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |
| --- | --- | --- | --- |
-| Home | | | |
-| Pro |  |  | |
-| Enterprise |  | | |
-| Enterprise LTSC |  | | |
-| Pro Education |  |  | |
-| Education |  |  | |
+| Home | Yes|No | No|
+| Pro | Yes | Yes | No|
+| Enterprise | Yes |Yes | No|
+| Enterprise LTSC | No |No | Yes|
+| Pro Education | Yes | Yes | No|
+| Education | Yes | Yes | No|
## Servicing tools
@@ -104,4 +104,4 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
-It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
+It's also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 907f34dd28..ef02459999 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,47 +1,38 @@
---
title: How Windows Update works
-description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
+description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# How Windows Update works
-**Applies to**
-
-- Windows 10
-- Windows 11
-
The Windows Update workflow has four core areas of functionality:
-### Scan
-
-1. Orchestrator schedules the scan.
-2. Orchestrator verifies admin approvals and policies for download.
-
-
-### Download
-1. Orchestrator starts downloads.
-2. Windows Update downloads manifest files and provides them to the arbiter.
-3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
-4. Windows Update client downloads files in a temporary folder.
-5. The arbiter stages the downloaded files.
-
-
-### Install
-1. Orchestrator starts the installation.
-2. The arbiter calls the installer to install the package.
-
-
-### Commit
-1. Orchestrator starts a restart.
-2. The arbiter finalizes before the restart.
+1. Scan
+ 1. Orchestrator schedules the scan.
+ 1. Orchestrator verifies admin approvals and policies for download.
+1. Download
+ 1. Orchestrator starts downloads.
+ 1. Windows Update downloads manifest files and provides them to the arbiter.
+ 1. The arbiter evaluates the manifest and tells the Windows Update client to download files.
+ 1. Windows Update client downloads files in a temporary folder.
+ 1. The arbiter stages the downloaded files.
+1. Install
+ 1. Orchestrator starts the installation.
+ 1. The arbiter calls the installer to install the package.
+1. Commit
+ 1. Orchestrator starts a restart.
+ 1. The arbiter finalizes before the restart.
## How updating works
@@ -52,7 +43,7 @@ During the updating process, the Windows Update Orchestrator operates in the bac
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
-When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
+When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
Make sure you're familiar with the following terminology related to Windows Update scan:
@@ -61,8 +52,8 @@ Make sure you're familiar with the following terminology related to Windows Upda
|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
-|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
-|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. |
+|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.|
+|Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. |
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
|Online scan|Scan that uses the network and to check an update server. |
@@ -80,7 +71,7 @@ Windows Update does the following actions when it runs a scan.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
-- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
+- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
@@ -88,9 +79,9 @@ When users start scanning in Windows Update through the Settings panel, the foll
#### Proxy Behavior
-For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
+For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)):
- System proxy is attempted (set using the `netsh` command).
-- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it's the logged-in user).
> [!Note]
> For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
@@ -130,13 +121,13 @@ Common update failure is caused due to network issues. To find the root of the i
> [!NOTE]
> If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
-- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.
+- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured.
## Downloading updates
-Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
+Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 1975275322..388592c36c 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
-ms.date: 04/06/2022
+ms.date: 08/21/2023
ms.localizationpriority: medium
---
@@ -14,10 +14,11 @@ Devices must be able to contact the following endpoints in order to authenticate
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
-| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
-| `https://adl.windows.com` | Required for Windows Update functionality. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
-| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
-| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `*v10c.events.data.microsoft.com` `eu-v10c.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
+| `umwatsonc.events.data.microsoft.com` `eu-watsonc.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
+| `v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
+| `adl.windows.com` | Required for Windows Update functionality. |
+| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
+| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `*.blob.core.windows.net` | Azure blob data storage.|
\ No newline at end of file
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 2c7e5e39f8..e2f3ab0e3c 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,24 +1,22 @@
---
title: Update Windows installation media with Dynamic Update
-description: Learn how to deploy feature updates to your mission critical devices
+description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 07/17/2023
ms.reviewer: stevedia
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 07/17/2023
---
# Update Windows installation media with Dynamic Update
-**Applies to**
-
-- Windows 10
-- Windows 11
-
This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
diff --git a/windows/deployment/update/media/7991583-update-seeker-enabled.png b/windows/deployment/update/media/7991583-update-seeker-enabled.png
new file mode 100644
index 0000000000..34e0e5e413
Binary files /dev/null and b/windows/deployment/update/media/7991583-update-seeker-enabled.png differ
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index b088d43792..1245ce7f59 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -1,20 +1,21 @@
---
title: Migrating and acquiring optional Windows content
-description: Keep language resources and Features on Demand during operating system updates
+description: How to keep language resources and Features on Demand during operating system updates for your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 03/15/2023
---
# Migrating and acquiring optional Windows content during updates
-***(Applies to: Windows 11 & Windows 10)***
-
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
@@ -43,7 +44,7 @@ Windows Setup needs access to the optional content. Since optional content isn't
### User-initiated feature acquisition failure
-The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows acquires the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
## Options for acquiring optional content
@@ -77,7 +78,7 @@ Consider moving to Windows Update for Business. Not only will the optional conte
Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
-- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
+- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates are included and current based on the month that the feature update was approved.
- Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
@@ -94,9 +95,9 @@ If you're not ready to move to Windows Update, another option is to enable Dynam
- **Latest cumulative update**: Installs the latest cumulative quality update.
- **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+In addition to these updates for the new operating system, Dynamic Update acquires optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it fetches content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
-Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
+Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device reboots again for the latest cumulative update since it wasn't available during the feature update.
One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
@@ -120,7 +121,7 @@ The benefit of this option is that the Windows image can include those additiona
A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
-When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
+When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
@@ -134,12 +135,12 @@ Several of the options address ways to address optional content migration issues
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
-- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
+- If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
-## Learn more
+## More resources
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
@@ -156,11 +157,11 @@ For more information about the Unified Update Platform and the approaches outlin
## Sample scripts
-Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
+Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so let's look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
### Creating an optional content repository
-To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
+To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@@ -573,7 +574,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
### Saving optional content in the source operating system
-To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
+To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action limits the files to copy.
```powershell
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index cf56100362..3116459b20 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,26 +1,26 @@
---
title: Define readiness criteria
-description: Identify important roles and figure out how to classify apps
+description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Define readiness criteria
-**Applies to**
-
-- Windows 10
-- Windows 11
+Planning and managing a deployment involves a variety of distinct activities and roles best suited to each activity. This article describes how to identify important roles and figure out how to classify apps.
## Figure out roles and personnel
-Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
+As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
@@ -50,13 +50,9 @@ This table sketches out one view of the other roles, with their responsibilities
|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment |
-
-
-
-
## Set criteria for rating apps
-Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
+Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren't critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
@@ -78,7 +74,7 @@ Here's an example priority rating system; the specifics could vary for your orga
|---------|---------|
|1 | Any issues or risks identified must be investigated and resolved as soon as possible. |
|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. |
-|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
+|3 | Start investigating risks and issues within 10 business days. You don't have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. |
Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index bc225337f8..9f3f2e92b7 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,45 +1,43 @@
---
title: Define update strategy
-description: Two examples of a calendar-based approach to consistent update installation
+description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Define update strategy with a calendar
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
-Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows release cycles, update mechanisms, and relevant tools to support this model. For more information about the Windows lifecycle, see [Windows lifecycle FAQ](/lifecycle/faq/windows).
-We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
+We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. The lifecycle cadence lets you allow some portion of your environment to move faster while the majority can move less quickly.
## Calendar approaches
-You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates.
+You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they stop receiving the monthly security updates once a version is out of support.
-### Annual
-Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
+## Annual approach
+Here's a calendar showing an example schedule that applies one Windows feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
[  ](images/annual-calendar.png#lightbox)
-This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
+This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update.
This cadence might be most suitable for you if any of these conditions apply:
-- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You're just starting your journey with the Windows servicing process. If you're unfamiliar with new processes that support Windows servicing, moving from a project happening once every three to five years to a feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
-- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
+- You want to wait and see how successful other companies are at adopting a Windows feature update.
-- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months).
+- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change.
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index b25c48f947..735e5a3095 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -1,37 +1,35 @@
---
title: Determine application readiness
-manager: aaroncz
-description: How to test your apps to know which need attention prior to deploying an update
+description: How to test your apps to identify which need attention prior to deploying an update in your organization.
ms.prod: windows-client
-ms.localizationpriority: medium
-ms.topic: article
+ms.technology: itpro-updates
+ms.topic: conceptual
ms.author: mstewart
author: mestew
-ms.technology: itpro-updates
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Determine application readiness
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization.
## Validation methods
-You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
+You can choose from various methods to validate apps. Exactly which ones to use depends on the specifics of your environment.
|Validation method |Description |
|---------|---------|
-|Full regression | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this. |
-|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. |
-|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
-|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
-|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren’t handled by enterprise application distribution. |
+|Full regression | A full quality assurance probing. Staff that know the application well and can validate its core functionality should do this validation. |
+|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they're validating. |
+|Automated testing | Software performs tests automatically. The software lets you know whether the tests have passed or failed, and provides detailed reporting for you automatically. |
+|Test in pilot | You preselect users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
+|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren't handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:
@@ -46,7 +44,7 @@ Combining the various validation methods with the app classifications you've pre
### Identify users
-Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
+Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you have to choose which users are best suited for validation testing. Some factors to consider include:
- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
@@ -56,10 +54,10 @@ You could seek volunteers who enjoy working with new features and include them i
### Identify and set up devices for validation
-In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
+In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection includes devices representing all of the hardware models in your environment.
-There is more than one way to choose devices for app validation:
+There's more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
-- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
+- **Manual selection**: Some internal groups like operations have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index a6c241bac8..ad9ebeff3a 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -2,28 +2,26 @@
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Prepare to deploy Windows
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items:
+Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase left you with these useful items:
- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md)
- A plan for [testing and validating](plan-determine-app-readiness.md) apps
- An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness
-- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use
+- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use
Now you're ready to actually start making changes in your environment to get ready to deploy.
@@ -33,26 +31,26 @@ Now you're ready to actually start making changes in your environment to get rea
- Update non-Microsoft security tools like security agents or servers.
- Update non-Microsoft management tools like data loss prevention agents.
-Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
+Your infrastructure probably includes many different components and tools. You need to ensure your environment isn't affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
-1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
+1. Review all of the infrastructure changes that you've identified in your plan. It's important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
-2. Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment.
+2. Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment.
3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
-You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example:
+You should also look at your organization's environment's configuration and outline how you'll implement any necessary changes previously identified in the plan phase to support the update. Consider what you need to do for the various settings and policies that currently underpin the environment. For example:
-- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security-related configurations.
+- Implement new draft security guidance. New versions of Windows can include new features that improve your environment's security. Your security teams will want to make appropriate changes to security-related configurations.
- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
-However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example:
+However, your configuration will consist of many different settings and policies. It's important to only apply changes where they're necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that slow down the update process. You want to ensure your environment isn't affected adversely because of changes you make. For example:
-1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
+1. Review new security settings. Your security team reviews the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
-2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
+2. Review security baselines for changes. Security teams also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
@@ -142,9 +140,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
- Compact the operating system by running **Compact.exe /CompactOS:always**.
-- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
+- Remove Windows Features on Demand that the user doesn't need. For more information, see [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities).
-- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy) for more information.
+- Move Windows Known Folders to OneDrive. For more information, see [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy).
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
@@ -167,9 +165,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
## Prepare capability
-In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
+In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You need to complete these higher-level tasks to gain those new capabilities:
-- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates.
+- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates.
- Validate new changes to understand how they affect the wider environment.
@@ -177,12 +175,12 @@ In the plan phase, you determined the specific infrastructure and configuration
## Prepare users
-Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
+Users often feel like they're forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
-You can employ a variety of measures to achieve this goal, for example:
+You can employ various measures to achieve this goal, for example:
- Send overview email about the update and how it will be deployed to the entire organization.
- Send personalized emails to users about the update with specific details.
- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
-- Provide the ability to voluntarily update at users’ convenience.
+- Provide the ability to voluntarily update at users' convenience.
- Inform users of a mandatory installation date when the update will be installed on all devices.
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 6061c9efab..bb6949ca8e 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,19 +1,21 @@
---
title: Update release cycle for Windows clients
-description: Learn about the release cycle of updates for Windows clients to stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 05/19/2023
---
# Update release cycle for Windows clients
-***(Applies to: Windows 11 & Windows 10)***
Windows updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Updates for the Windows client OS are typically cumulative. They include all previously released fixes to guard against fragmentation of the operating system. Reliability and vulnerability issues can occur when only a subset of fixes is installed.
@@ -23,11 +25,11 @@ This article provides details on the types of updates that Microsoft provides, a
|Release type | Description | Release cycle |
|---|---|---|
-| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
-| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
+| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and nonsecurity content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
+| [Optional nonsecurity preview release](#optional-nonsecurity-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
-| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
+| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional nonsecurity preview release then in the monthly security update releases |
## Monthly security update release
@@ -42,7 +44,7 @@ Most people are familiar with the **monthly security update release**. The **mon
- Latest cumulative update (LCU)
-**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with non-security content introduced in the prior month's [**Optional non-security preview release**](#optional-non-security-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
+**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with nonsecurity content introduced in the prior month's [**Optional nonsecurity preview release**](#optional-nonsecurity-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
Monthly security update releases are available through the following channels:
@@ -52,11 +54,11 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
-## Optional non-security preview release
+## Optional nonsecurity preview release
-**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
+**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
-**Optional non-security preview releases** might commonly be referred to as:
+**Optional nonsecurity preview releases** might commonly be referred to as:
- C or D week releases (meaning the third or fourth week of the month)
- Preview updates
@@ -64,9 +66,9 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
> [!Important]
-> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
+> Starting in April 2023, all **optional nonsecurity preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
-To access the optional non-security preview release:
+To access the optional nonsecurity preview release:
- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
@@ -78,16 +80,16 @@ To access the optional non-security preview release:
Some key considerations about OOB releases include:
- OOB releases are always cumulative.
- - OOB releases supersede any prior monthly security update and optional non-security preview release.
+ - OOB releases supersede any prior monthly security update and optional nonsecurity preview release.
- OOB releases generally require IT admins to deploy off-cycle.
- Some OOB releases are classified as critical.
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
-- Some OOB releases are classified as non-critical.
- - Non-critical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+- Some OOB releases are classified as noncritical.
+ - Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
## Continuous innovation for Windows 11
-Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
+Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional nonsecurity preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 6535bc2084..86232917dd 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,31 +1,29 @@
---
-title: Safeguard holds
-description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
+title: Safeguard holds for Windows
+description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Safeguard holds
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
-The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
+The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update resumes offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
@@ -37,11 +35,11 @@ IT admins can use [Windows Update for Business reports](wufb-reports-overview.md
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
-On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
+On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users see a message.
-This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
+This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we release the safeguard hold so the update can resume safely.
## What can I do?
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index 96b29c913a..30227f3553 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -1,38 +1,35 @@
---
title: Opt out of safeguard holds
-description: Steps to install an update even it if has a safeguard hold applied
+description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 10/21/2020
---
# Opt out of safeguard holds
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
## How can I opt out of safeguard holds?
-IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11.
+IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running the following operating systems:
+- Windows 11
+- Windows 10, version 1809, or later, with the October 2020 security update.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
-Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
+Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues.
> [!NOTE]
-> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
-
-
-
+> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 30228a83de..fd0efc4571 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -2,29 +2,26 @@
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.collection:
- highpri
- tier2
-ms.topic: conceptual
-ms.technology: itpro-updates
+ms.localizationpriority: high
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server
ms.date: 12/31/2017
---
# Servicing stack updates
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server
-
## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
@@ -34,8 +31,6 @@ Servicing stack updates improve the reliability of the update process to mitigat
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
->[!NOTE]
->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
## What's the difference between a servicing stack update and a cumulative update?
@@ -49,18 +44,18 @@ Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
-Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
+Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
-* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
+* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
-* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
+* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 9173c21e30..b534f09c0c 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,35 +1,35 @@
---
-title: Update Baseline
-description: Use an update baseline to optimize user experience and meet monthly update goals
+title: Windows 10 Update Baseline
+description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Update Baseline
-**Applies to:** Windows 10
-
> [!NOTE]
-> Update Baseline is not currently available for Windows 11.
+> Update Baseline isn't currently available for Windows 11.
With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
## Why is Update Baseline needed?
-Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you are just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
+Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
## You can use Update Baseline to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
-Update Baseline doesn't affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices and when.
+Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when.
## Policies included in the Update Baseline
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index d4302cecac..b7fa2d5094 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -1,23 +1,21 @@
---
-title: Policies for update compliance, activity, and user experience
-description: Explanation and recommendations for settings
+title: Policies for update compliance and user experience
+description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Policies for update compliance, activity, and user experience
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@@ -30,7 +28,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s
Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709
and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
-The older policies started enforcing deadlines once the device reached a “restart pending” state for
+The older policies started enforcing deadlines once the device reached a `restart pending` state for
an update. The new policy starts the countdown for the update installation deadline from when the
update is published plus any deferral. In addition, this policy includes a configurable grace period and the option
to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic
@@ -42,7 +40,7 @@ We recommend you set deadlines as follows:
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
-do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you
+do **not** set any notification policies, because they're automatically configured with appropriate defaults. An exception is if you
have kiosks or digital signage.
While three days for quality updates and seven days for feature updates is our recommendation, you might decide
@@ -57,7 +55,7 @@ to a minimum of two days.
### Grace periods
You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This
-is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not
+is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device won't
be forced to update immediately when the user returns.
We recommend you set the following:
@@ -79,15 +77,15 @@ automatic restart. To take advantage of this feature, ensure **ConfigureDeadline
Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two
of continuous activity, in order to successfully complete a system update. The device could have other
physical circumstances that prevent successful installation of an update--for example, if a laptop is running low
-on battery power, or the user has shut down the device before active hours end and the device cannot comply
+on battery power, or the user has shut down the device before active hours end and the device can't comply
with the deadline.
-You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period.
+You can use the settings in this section to ensure that devices are available to install updates during the update compliance period.
### Active hours
-"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of
-these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
+"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts occur outside of
+these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user's activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
> [!IMPORTANT]
> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these
@@ -96,14 +94,12 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
-- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged
-in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we
-recommend setting the following polices to **Disabled**:
+- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
- - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that
-updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings.
+ - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users receive notifications that
+updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user's ability to delay a restart outside of compliance deadline settings.
- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**:
- [Update/RequireUpdateApproval](/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
@@ -113,8 +109,8 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates)
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
-- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
-- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service.
+- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
+- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@@ -127,11 +123,11 @@ recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in
### Power policies
-Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
+Devices must actually be available during nonactive hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
-To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
+To a user, a device is either on or off, but for Windows, there are states that allow an update to occur (active) and states that don't (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
-You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours.
+You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during nonactive hours.
> [!NOTE]
> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode.
@@ -139,13 +135,12 @@ You can override the default settings and prevent users from changing them in or
We recommend these power management settings:
- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system
-appears to be off but if an update is available, it can wake the device up in order to take an update. The
+appears to be off but if an update is available, it can wake up the device in order to take an update. The
power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest
-power level before shutdown). When a device is not being used, the system will generally move to sleep
+power level before shutdown). When a device isn't being used, the system will generally move to sleep
mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is
-too short and Windows does not have time to complete an update. Sleep mode is an important setting
-because the system can wake the system from sleep in order to start the update process, as long as there
-is enough power.
+too short and Windows doesn't have time to complete an update. Sleep mode is an important setting
+because the system can wake the system from sleep in order to start the update process, as long as there's enough power.
Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode:
- [Power/AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery)
@@ -156,15 +151,15 @@ sleep mode and the device has an opportunity to take an update:
- [Power/SelectLidCloseActionOnBattery](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin)
-- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up
-without user intervention, like pressing the power button. If a device is in this state, it cannot be updated
+- **Hibernate**. When a device is hibernating, power consumption is low and the system can't wake up
+without user intervention, like pressing the power button. If a device is in this state, it can't be updated
unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep
-(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete.
+(S3) is plugged in, and a Windows update is available, a hibernate state is delayed until the update is complete.
> [!NOTE]
> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates).
-The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
+The default timeout on devices that support traditional sleep is set to three hours. We recommend that you don't reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
- [Power/HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery)
- [Power/HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin)
@@ -177,7 +172,7 @@ Each release of Windows client can introduce new policies to make the experience
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface.
-As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
+As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
@@ -192,11 +187,11 @@ As administrators, you have set up and expect certain behaviors, so we expressly
The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no
-deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature
+deferral) so that the feature update can complete and monthly security updates are offered again. Even if there's an urgent quality update that must be quickly deployed, it's best to use **Pause Feature
Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update.
- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days.
- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
-- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
-- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
+- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
+- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
-There are additional policies are no longer supported or have been superseded.
+There are also additional policies are no longer supported or have been superseded.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 1329d93a6b..840ea3d5a7 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -2,31 +2,28 @@
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Configure BranchCache for Windows client updates
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
- >[!TIP]
- >Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
+ > [!TIP]
+ > Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
@@ -36,7 +33,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
@@ -44,8 +41,8 @@ You can use WSUS and Configuration Manager with BranchCache in Distributed Cache
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
-In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
+In addition to these steps, there's one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
->[!NOTE]
->Configuration Manager only supports Distributed Cache mode.
+> [!NOTE]
+> Configuration Manager only supports Distributed Cache mode.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index c6c7a89a58..6af6c31910 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -6,22 +6,21 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-updates
-ms.date: 05/19/2023
+ms.collection:
+ - tier1
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
+ms.date: 08/22/2023
---
# Configure Windows Update for Business
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-- Windows Server 2022
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> [!NOTE]
@@ -162,7 +161,7 @@ In cases where the pause policy is first applied after the configured start date
| MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
-You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
@@ -210,6 +209,43 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+## Enable optional updates
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
+
+To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
+
+:::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png":::
+
+The following options are available for the policy:
+
+- **Automatically receive optional updates (including CFRs)**:
+ - The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
+ - The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
+ - Devices will receive CFRs in early phases of the rollout.
+
+- **Automatically receive optional updates**:
+ - The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
+ - The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
+
+- **Users can select which optional updates to receive**:
+ - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
+ - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
+ - CFRs are offered to the device, but not necessarily in the early phases of the rollout.
+ - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
+ - The device will receive CFRs in early phases of the rollout.
+ - Optional updates are automatically installed on the device.
+
+- **Not configured** (default):
+ - Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
+
+**Policies to enable optional updates**
+
+| Policy | Sets registry key under HKLM\Software |
+| --- | --- |
+| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+
## Enable features that are behind temporary enterprise feature control
@@ -221,8 +257,8 @@ The features that are behind temporary enterprise feature control will be enable
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
-| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: ../Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
+| GPO for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
+| MDM for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
@@ -233,6 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
+| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -248,6 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
+| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
@@ -272,3 +310,4 @@ When a device running a newer version sees an update available on Windows Update
| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
| PauseQualityUpdates | PauseQualityUpdatesStartTime |
+
\ No newline at end of file
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 007f114627..d94af9011d 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -2,23 +2,20 @@
title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Integrate Windows Update for Business with management solutions
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
@@ -28,8 +25,8 @@ You can integrate Windows Update for Business deployments with existing manageme
For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
-- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
-- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
+- Devices receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows won't follow your Windows Update for Business deferral policies
### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
@@ -37,9 +34,9 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
- Device is configured to defer Windows quality updates using Windows Update for Business
- Device is also configured to be managed by WSUS
-- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
+- Device isn't configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
-- Admin has also put 3rd party drivers on WSUS
+- Admin has also put third-party drivers on WSUS
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@@ -70,12 +67,12 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
**Configuration:**
- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS
-- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
+- Device is configured to **receive updates for other Microsoft products** along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
-In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
+In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS weren't enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
-- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
+- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies aren't applied.
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@@ -90,9 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo
## Integrate Windows Update for Business with Microsoft Configuration Manager
-For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices are visible in the Configuration Manager console, however they appear with a detection state of **Unknown**.
:::image type="content" alt-text="Example of unknown devices." source="images/wufb-sccm.png" lightbox="images/wufb-sccm.png":::
-For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
+For more information, see [Integration with Windows Update for Business in Windows 10](/mem/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10).
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 93ab10c8bc..b1aee2ba14 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,33 +1,31 @@
---
-title: Deploy Windows client updates using Windows Server Update Services
+title: Deploy updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: how-to
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ WSUS
ms.date: 12/31/2017
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
@@ -46,7 +44,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us
## WSUS scalability
-To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720448(v=ws.10)).
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services).
@@ -68,19 +66,19 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
-4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**.
-5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**.
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
-9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**.
@@ -88,7 +86,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
- > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
+ > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
@@ -117,13 +115,13 @@ You can use computer groups to target a subset of devices that have specific qua
1. Open the WSUS Administration Console.
-2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
+2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**.
-3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**.
-4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups.
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
@@ -143,15 +141,15 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
- Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+ Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you'll likely have many computers here.
-2. Select both computers, right-click the selection, and then click **Change Membership**.
+2. Select both computers, right-click the selection, and then select **Change Membership**.
-3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then select **OK**.
- Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+ Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you'll see both computers there.
### Search for multiple computers to add to groups
@@ -159,15 +157,15 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
**To search for multiple computers**
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then select **Search**.
2. In the search box, type **WIN10**.
-3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+3. In the search results, select the computers, right-click the selection, and then select **Change Membership**.
-4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**.
You can now see these computers in the **Ring 3 Broad IT** computer group.
@@ -180,11 +178,11 @@ The WSUS Administration Console provides a friendly interface from which you can
**To configure WSUS to allow client-side targeting from Group Policy**
-1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**.
-2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**.
>[!NOTE]
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
@@ -194,23 +192,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
**To configure client-side targeting**
>[!TIP]
->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don't add computers to the incorrect rings.
1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+3. Right-click *Your_Domain*, and then select **Create a GPO in this domain, and Link it here**.
-4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+4. In the **New GPO** dialog box, type **WSUS - Client Targeting - Ring 4 Broad Business Users** for the name of the new GPO.
-5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-7. Right-click **Enable client-side targeting**, and then click **Edit**.
+7. Right-click **Enable client-side targeting**, and then select **Edit**.
8. In the **Enable client-side targeting** dialog box, select **Enable**.
@@ -223,23 +221,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
10. Close the Group Policy Management Editor.
-Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
+Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
**To scope the GPO to a group**
-1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+1. In GPMC, select the **WSUS - Client Targeting - Ring 4 Broad Business Users** policy.
-2. Click the **Scope** tab.
+2. Select the **Scope** tab.
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
-The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring.
## Automatically approve and deploy feature updates
-For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+For clients that should have their feature updates approved as soon as they're available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
@@ -250,32 +248,32 @@ This example uses Windows 10, but the process is the same for Windows 11.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
-2. On the **Update Rules** tab, click **New Rule**.
+2. On the **Update Rules** tab, select **New Rule**.
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
-4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**.
-5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
-6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**.
7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
-8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**.
-9. In the **Automatic Approvals** dialog box, click **OK**.
+9. In the **Automatic Approvals** dialog box, select **OK**.
>[!NOTE]
- >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+ >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
-Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+Now, whenever Windows client feature updates are published to WSUS, they'll automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
@@ -291,17 +289,17 @@ To simplify the manual approval process, start by creating a software update vie
**To approve and deploy feature updates manually**
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, select **New Update View**.
2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
-3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+3. Under **Step 2: Edit the properties**, select **any classification**. Clear all check boxes except **Upgrades**, and then select **OK**.
-4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
-5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**.
@@ -309,7 +307,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
-2. Right-click the feature update you want to deploy, and then click **Approve**.
+2. Right-click the feature update you want to deploy, and then select **Approve**.
@@ -317,30 +315,17 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
-4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**.
-5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**.
If the deployment is successful, you should receive a successful progress report.
-6. In the **Approval Progress** dialog box, click **Close**.
-
-
-
-## Steps to manage updates for Windows client
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows client updates using Windows Server Update Services (this topic)or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+6. In the **Approval Progress** dialog box, select **Close**.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 0b7e01ecae..58343cf36e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -3,25 +3,21 @@ title: Windows Update for Business
manager: aaroncz
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
ms.topic: overview
+author: mestew
+ms.author: mstewart
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# What is Windows Update for Business?
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
@@ -37,7 +33,7 @@ Specifically, Windows Update for Business lets you control update offerings and
Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
### Manage deployment of Windows Updates
@@ -62,10 +58,11 @@ You can control when updates are applied, for example by deferring when an updat
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
-#### Enroll in pre-release updates
+#### Enroll in prerelease updates
-The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
+The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
+- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Preview
@@ -81,7 +78,7 @@ A Windows Update for Business administrator can defer the installation of both f
|---------|---------|
|Feature updates | 365 days |
|Quality updates | 30 days |
-|Non-deferrable | none |
+|Nondeferrable | none |
@@ -107,7 +104,7 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
-Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
+Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 2585696606..6f20706c2e 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -2,39 +2,36 @@
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: overview
+ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Overview of Windows as a service
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
## Building
-Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn't work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges.
-In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider community](/windows-insider/business/register) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
-Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
+Of course, Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
## Deploying
@@ -43,13 +40,13 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
### Application compatibility
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds.
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds.
## Servicing
Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes.
-Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that leverages servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
+Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool, see [Servicing tools](#servicing-tools).
@@ -58,7 +55,7 @@ There are three servicing channels, each of which provides different levels of f
There are currently three release channels for Windows clients:
-- The **General Availability Channel** receives feature updates as soon as they are available.
+- The **General Availability Channel** receives feature updates as soon as they're available.
- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- The **Windows Insider Program** provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update.
@@ -75,9 +72,9 @@ New features are packaged into feature updates that you can deploy using existin
### Quality updates
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn't, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
-Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
+Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month's update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
## Servicing channels
@@ -88,9 +85,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
### General Availability Channel
-In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
+In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you'll be able to choose the timing at which it goes into broad deployment.
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel is available but not necessarily immediately mandatory, depending on the policy of the management system. For more information about servicing tools, see [Servicing tools](#servicing-tools).
> [!NOTE]
@@ -102,7 +99,7 @@ When Microsoft officially releases a feature update, we make it available to any
### Long-term Servicing Channel
-Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don't need feature updates as frequently as other devices in the organization. It's more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
> [!NOTE]
>
@@ -113,12 +110,12 @@ Microsoft never publishes feature updates through Windows Update on devices that
> [!NOTE]
> LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in the Enterprise LTSC editions, even if you install by using sideloading.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
### Windows Insider
-For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
+For many IT pros, gaining visibility into feature updates early can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register).
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 825676e789..f027e7d657 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -2,38 +2,35 @@
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: high
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Quick guide to Windows as a service
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-Here is a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
+Here's a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
-- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
+- **Quality updates** deliver both security and nonsecurity fixes. They're typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they're important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **General Availability Channel** receives feature updates annually.
- The **Long-Term Servicing Channel**, which is meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
-See [Overview of Windows as a service](waas-overview.md) for more information.
+For more information, see [Overview of Windows as a service](waas-overview.md).
For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
@@ -41,15 +38,15 @@ For some interesting in-depth information about how cumulative updates work, see
With each release in the General Availability Channel, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion.
-Windows 10 Enterprise LTSC are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
+Windows Enterprise LTSC versions are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
For more information, see [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md).
## Staying up to date
-To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
-Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
+Extensive advanced testing isn't required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index e95825d0c0..007852b8af 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,36 +1,33 @@
---
title: Manage device restarts after updates
-description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
+description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: how-to
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Manage device restarts after updates
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
@@ -40,25 +37,25 @@ For a detailed description of these registry keys, see [Registry keys used to ma
## Delay automatic reboot
-When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
+When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
-- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
-You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Configure active hours
-*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
-Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
+Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
Administrators can use multiple ways to set active hours for managed devices:
@@ -78,7 +75,7 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client
### Configuring active hours through Registry
-This method is not recommended, and should only be used when you can't use Group Policy or MDM.
+This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
Configure active hours by setting a combination of the following registry values:
@@ -102,7 +99,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
-After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
+After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
## Control restart notifications
@@ -120,15 +117,15 @@ Starting in Windows 11, version 22H2, **Apply only during active hours** was add
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
-### Auto-restart notifications
+### Auto restart notifications
-Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
+Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
-You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
@@ -141,20 +138,20 @@ To do so through Group Policy, go to **Computer Configuration\Administrative Tem
To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
-### Scheduled auto-restart warnings
+### Scheduled auto restart warnings
-Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
-To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
-In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
### Engaged restart
-Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
-* Period of time before auto-restart transitions to engaged restart.
+* Period of time before auto restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
@@ -164,17 +161,17 @@ In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-manage
## Group Policy settings for restart
-In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
-| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
-| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
-| Re-prompt for restart with scheduled installations |  | |
-| Delay Restart for scheduled installations |  | |
-| Reschedule Automatic Updates scheduled installations |  | |
+| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
+| Re-prompt for restart with scheduled installations | No | |
+| Delay Restart for scheduled installations | No | |
+| Reschedule Automatic Updates scheduled installations | No | |
>[!NOTE]
@@ -190,8 +187,8 @@ The following tables list registry values that correspond to the Group Policy se
| Registry key | Key type | Value |
| --- | --- | --- |
-| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
@@ -201,8 +198,8 @@ The following tables list registry values that correspond to the Group Policy se
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
-| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on1: don't reboot after an update installation if a user is logged on**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
There are three different registry combinations for controlling restart behavior:
@@ -210,7 +207,7 @@ There are three different registry combinations for controlling restart behavior
- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
-## Related articles
+## More resources
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 82f1a7f953..3fd3990153 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,24 +1,20 @@
---
-title: Assign devices to servicing channels for Windows client updates
+title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
-# Assign devices to servicing channels for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+# Assign devices to servicing channels for Windows updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -29,12 +25,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- |
-| Home |  |  |  |
-| Pro |  |  |  |
-| Enterprise |  |  |  |
-| Enterprise LTSC |  |  |  |
-| Pro Education |  |  |  |
-| Education |  |  |  |
+| Home | No | No | Yes |
+| Pro | Yes | No | Yes |
+| Enterprise | Yes | No | Yes |
+| Enterprise LTSC | No | Yes | No |
+| Pro Education | Yes | No | Yes |
+| Education | Yes | No | Yes |
>[!NOTE]
@@ -46,7 +42,7 @@ The General Availability Channel is the default servicing channel for all Window
## Enroll devices in the Windows Insider Program
-To get started with the Windows Insider Program for Business, follows these steps:
+To get started with the Windows Insider Program for Business, follow these steps:
1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
2. Follow the prompts to register your tenant.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 278ccbed60..31038c9fc0 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -2,40 +2,36 @@
title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Prepare a servicing strategy for Windows client updates
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Here’s an example of what this process might look like:
+Here's an example of what this process might look like:
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
-- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
+- **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
-1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test devices step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
-2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the “Recruit volunteers” step of the previous section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
+2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 0c088b2aee..5ffafc24a9 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,23 +1,24 @@
---
title: Manage additional Windows Update settings
-description: In this article, learn about additional settings to control the behavior of Windows Update.
+description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
ms.prod: windows-client
-ms.localizationpriority: medium
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: how-to
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 04/25/2023
---
# Manage additional Windows Update settings
-***(Applies to: Windows 11 & Windows 10)***
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index fbbb54d9b6..3d79d66cd5 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -2,23 +2,20 @@
title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 02/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -176,9 +173,9 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
-**0** (default) – Use the default Windows Update notifications
-**1** – Turn off all notifications, excluding restart warnings
-**2** – Turn off all notifications, including restart warnings
+**0** (default) - Use the default Windows Update notifications
+**1** - Turn off all notifications, excluding restart warnings
+**2** - Turn off all notifications, including restart warnings
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7d696f704d..7c431a1818 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,28 +1,28 @@
---
title: Configure Windows Update for Business via Group Policy
-description: Walk through of how to configure Windows Update for Business settings using Group Policy.
+description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices.
ms.prod: windows-client
+ms.technology: itpro-updates
+manager: aaroncz
+ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.collection:
- highpri
- tier2
-manager: aaroncz
-ms.topic: how-to
-ms.technology: itpro-updates
-ms.date: 02/28/2023
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
+ms.date: 08/22/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
## Overview
@@ -195,11 +195,42 @@ Still more options are available in **Computer Configuration > Administrative Te
Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
-Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**.
+Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
+#### I want to enable optional updates
+
+(*Starting in Windows 11, version 22H2 or later*)
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
+
+To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](waas-configure-wufb.md#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
+
+The following options are available for the policy:
+
+- **Automatically receive optional updates (including CFRs)**:
+ - The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
+ - The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
+ - Devices will receive CFRs in early phases of the rollout.
+
+- **Automatically receive optional updates**:
+ - The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
+ - The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
+
+- **Users can select which optional updates to receive**:
+ - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
+ - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
+ - CFRs are offered to the device, but not necessarily in the early phases of the rollout.
+ - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
+ - The device will receive CFRs in early phases of the rollout.
+ - Optional updates are automatically installed on the device.
+
+- **Not configured** (default):
+ - Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
+
+
#### I want to enable features introduced via servicing that are off by default
(*Starting in Windows 11, version 22H2 or later*)
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index 2280794391..c37d7cc3d2 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -2,95 +2,92 @@
title: Windows Update error code list by component
description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 09/18/2018
-ms.topic: article
-ms.technology: itpro-updates
---
# Windows Update error codes by component
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
This section lists the error codes for Microsoft Windows Update.
## Automatic Update Errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------|
-| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
-| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
-| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
-| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
-| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
-| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
-| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
+| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
+| `0x8024A000` | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
+| `0x8024A002` | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
+| `0x8024A003` | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
+| `0x8024A004` | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
+| `0x8024A005` | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
+| `0x8024AFFF` | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
## Windows Update UI errors
| Error code | Message | Description |
|------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. |
-| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. |
-| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. |
-| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
-| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
-| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
-| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
-| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. |
+| `0x80243001` | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. |
+| `0x80243002` | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation couldn't be read from the registry due to an invalid data format. |
+| `0x80243003` | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation aren't available; the operation may have failed to start. |
+| `0x80243004` | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
+| `0x80243FFD` | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
+| `0x80243FFE` | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
+| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
+| `0x8024043D` | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property isn't available. |
## Inventory errors
| Error code | Message | Description |
|------------|--------------------------------------------|-------------------------------------------------------------------------------|
-| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
-| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
-| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
-| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
-| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
+| `0x80249001` | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
+| `0x80249002` | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
+| `0x80249003` | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
+| `0x80249004` | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
+| `0x80249005` | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
## Expression evaluator errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation could not be completed because an expression was unrecognized. |
-| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation could not be completed because an expression was invalid. |
-| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. |
-| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. |
-| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator could not be initialized. |
-| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation could not be completed because there was an invalid attribute. |
-| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. |
-| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
+| `0x8024E001` | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was unrecognized. |
+| `0x8024E002` | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was invalid. |
+| `0x8024E003` | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. |
+| `0x8024E004` | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid. |
+| `0x8024E005` | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator couldn't be initialized. |
+| `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. |
+| `0x8024E007` | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. |
+| `0x8024EFFF` | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
## Reporter errors
| Error code | Message | Description |
|------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation could not be completed because the scan package was invalid. |
-| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. |
-| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
-| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
-| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor could not be parsed. |
-| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor could not be parsed. |
-| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
-| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
+| `0x80247001` | `WU_E_OL_INVALID_SCANFILE` | An operation couldn't be completed because the scan package was invalid. |
+| `0x80247002` | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. |
+| `0x80247FFF` | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
+| `0x8024F001` | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
+| `0x8024F002` | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor couldn't be parsed. |
+| `0x8024F003` | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor couldn't be parsed. |
+| `0x8024F004` | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
+| `0x8024FFFF` | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
## Redirector errors
The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors.
| Error code | Message | Description |
|----------- |------------------------------|------------------------------------------------------------------------------------------|
-| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document could not be loaded into the DOM class. |
-| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
-| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
-| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
+| `0x80245001` | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document couldn't be loaded into the DOM class. |
+| `0x80245002` | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
+| `0x80245003` | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
+| `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
## Protocol Talker errors
The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method.
@@ -98,271 +95,271 @@ The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. Th
| Error code | Message | Description |
|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
-| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
-| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
-| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
-| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
-| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
-| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
-| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
-| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
-| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
-| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
+| `0x80244000` | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
+| `0x80244001` | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
+| `0x80244002` | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
+| `0x80244003` | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
+| `0x80244004` | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
+| `0x80244005` | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
+| `0x80244006` | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
+| `0x80244007` | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
+| `0x80244008` | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
+| `0x80244009` | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
+| `x8024400A` | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
## Other Protocol Talker errors
-The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
+The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
-| Error code | Message | Description |
-|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
-| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
-| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
-| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. |
-| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
-| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
-| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
-| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
-| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name could not be determined. |
-| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
-| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server could not process the request due to invalid syntax. |
-| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
-| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
-| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). |
-| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. |
-| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
-| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
-| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. |
-| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
-| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
-| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. |
-| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
-| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
-| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
-| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. |
-| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
-| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. |
-| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
-| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
-| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
-| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
-| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. |
-| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. |
-| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
-| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. |
-| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
-| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
-| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest could not be extracted from an external cab file. |
-| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file could not be decompressed. |
-| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
-| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
-| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
-| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. |
+| Error code | Message | Description |
+|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| `0x8024400B` | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
+| `0x8024400C` | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
+| `0x8024400D` | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
+|`0x8024400E` | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message couldn't be processed due to a server error; resend later. |
+| `0x8024400F` | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
+| `0x80244010` | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
+| `0x80244011` | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
+| `0x80244012` | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
+| `0x80244013` | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name couldn't be determined. |
+| `0x80244015` | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
+| `0x80244016` | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server couldn't process the request due to invalid syntax. |
+| `0x80244017` | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
+| `0x80244018` | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
+| `0x80244019` | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server can't find the requested URI (Uniform Resource Identifier). |
+| `0x8024401A` | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method isn't allowed. |
+| `0x8024401B` | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
+| `0x8024401C` | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
+| `0x8024401D` | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request wasn't completed due to a conflict with the current state of the resource. |
+| `0x8024401E` | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
+| `0x8024401F` | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
+| `0x80244020` | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server doesn't support the functionality required to fulfill the request. |
+|`0x80244021` | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
+| `0x80244022` | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
+| `0x80244023` | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
+| `0x80244024` | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server doesn't support the HTTP protocol version used for the request. |
+| `0x80244025` | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
+| `0x80244026` | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent doesn't support registration with a non-WSUS server. |
+| `0x80244027` | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
+| `0x80244028` | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
+| `0x80244029` | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
+| `0x8024402A` | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
+| `0x8024402B` | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request couldn't be completed and the reason didn't correspond to any of the `WU_E_PT_HTTP_*` error codes. |
+| `0x8024402C` | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name can't be resolved. |
+| `0x8024402F` | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
+| `0x80244030` | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization didn't complete. |
+| `0x80244031` | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
+| `0x80244032` | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
+| `0x80244033` | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest couldn't be extracted from an external cab file. |
+| `0x80244034` | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file couldn't be decompressed. |
+| `0x80244035` | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
+| `0x80244FFF` | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
+| `0x8024502D` | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
+| `0x8024502E` | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action didn't complete because the server is managed. |
## Download Manager errors
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation could not be completed because the requested file does not have a URL. |
-| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation could not be completed because the file digest was not recognized. |
-| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. |
-| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation could not be completed because a download request is required from the download handler. |
-| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation could not be completed because the network connection was unavailable. |
-| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
-| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. |
-| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
-| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
-| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
-| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
-| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
+| `0x80246001` | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation couldn't be completed because the requested file doesn't have a URL. |
+| `0x80246002` | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation couldn't be completed because the file digest wasn't recognized. |
+| `0x80246003` | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm. |
+| `0x80246004` | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation couldn't be completed because a download request is required from the download handler. |
+| `0x80246005` | `WU_E_DM_NONETWORK` | A download manager operation couldn't be completed because the network connection was unavailable. |
+| `0x80246006` | `WU_E_DM_WRONGBITSVERSION` | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
+| `0x80246007` | `WU_E_DM_NOTDOWNLOADED` | The update hasn't been downloaded. |
+| `0x80246008` | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
+| `0x80246009` | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
+| `0x8024600A` | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
+| `0x8024600B` | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
+| `0x80246FFF` | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
## Update Handler errors
| Error code | Message | Description |
|------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler could not be completed because no remote process is available. |
-| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. |
-| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. |
-| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. |
-| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). |
-| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. |
-| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. |
-| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. |
-| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
-| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. |
-| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. |
-| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
-| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
-| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. |
-| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
-| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
-| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
-| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
-| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
-| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
-| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
-| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. |
-| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
-| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
-| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
+| `0x80242000` | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler couldn't be completed because no remote process is available. |
+| `0x80242001`| `WU_E_UH_LOCALONLY` | A request for a remote update handler couldn't be completed because the handler is local only. |
+| `0x80242002` | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler couldn't be completed because the handler couldn't be recognized. |
+| `0x80242003` | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler couldn't be created because one already exists. |
+| `0x80242004` | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update couldn't be completed because the update doesn't support install (uninstall). |
+|`0x80242005` | `WU_E_UH_WRONGHANDLER` | An operation didn't complete because the wrong handler was specified. |
+| `0x80242006` | `WU_E_UH_INVALIDMETADATA` | A handler operation couldn't be completed because the update contains invalid metadata. |
+| `0x80242007` | `WU_E_UH_INSTALLERHUNG` | An operation couldn't be completed because the installer exceeded the time limit. |
+| `0x80242008` | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
+| `0x80242009` | `WU_E_UH_BADHANDLERXML` | An operation couldn't be completed because the handler-specific metadata is invalid. |
+| `0x8024200A` | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update couldn't be completed because the update requires user input. |
+| `0x8024200B` | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
+| `0x8024200C` | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
+| `0x8024200D` | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler didn't install the update because it needs to be downloaded again. |
+| `0x8024200E` | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
+| `0x8024200F` | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
+| `0x80242010` | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
+| `0x80242011` | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
+| `0x80242012` | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
+| `0x80242013` | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
+| `0x80242014` | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
+| `0x80242015` | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update couldn't be determined. |
+| `0x80242016` | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
+| `0x80242017` | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
+| `0x80242FFF` | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
## Data Store errors
| Error code | Message | Description |
|------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
-| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
-| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. |
-| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
-| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
-| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. |
-| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. |
-| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. |
-| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
-| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
-| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. |
-| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. |
-| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. |
-| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. |
-| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. |
-| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. |
-| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. |
-| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. |
-| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
-| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. |
-| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. |
-| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. |
-| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. |
-| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. |
-| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. |
-| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. |
-| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. |
-| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
-| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. |
-| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
+| `0x80248000` | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
+| `0x80248001` | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
+| `0x80248002` | `WU_E_DS_INVALID` | The current and expected states of the data store don't match. |
+| `0x80248003` | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
+| `0x80248004` | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
+| `0x80248005` | `WU_E_DS_INVALIDTABLENAME` | A table couldn't be opened because the table isn't in the data store. |
+| `0x80248006` | `WU_E_DS_BADVERSION` | The current and expected versions of the data store don't match. |
+| `0x80248007` | `WU_E_DS_NODATA` | The information requested isn't in the data store. |
+| `0x80248008` | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
+| `0x80248009` | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
+| `0x8024800A` | `WU_E_DS_UNKNOWNHANDLER` | The update wasn't processed because its update handler couldn't be recognized. |
+| `0x8024800B` | `WU_E_DS_CANTDELETE` | The update wasn't deleted because it's still referenced by one or more services. |
+| `0x8024800C` | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section couldn't be locked within the allotted time. |
+| `0x8024800D` | `WU_E_DS_NOCATEGORIES` | The category wasn't added because it contains no parent categories and isn't a top-level category itself. |
+| `0x8024800E` | `WU_E_DS_ROWEXISTS` | The row wasn't added because an existing row has the same primary key. |
+| `0x8024800F` | `WU_E_DS_STOREFILELOCKED` | The data store couldn't be initialized because it was locked by another process. |
+| `0x80248010` | `WU_E_DS_CANNOTREGISTER` | The data store isn't allowed to be registered with COM in the current process. |
+| `0x80248011` | `WU_E_DS_UNABLETOSTART` | Couldn't create a data store object in another process. |
+| `0x80248013` | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
+| `0x80248014` | `WU_E_DS_UNKNOWNSERVICE` | An operation didn't complete because the service isn't in the data store. |
+| `0x80248015` | `WU_E_DS_SERVICEEXPIRED` | An operation didn't complete because the registration of the service has expired. |
+| `0x80248016` | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it's a mandatory update or because it was deployed with a deadline. |
+| `0x80248017` | `WU_E_DS_TABLESESSIONMISMATCH` | A table wasn't closed because it isn't associated with the session. |
+| `0x80248018` | `WU_E_DS_SESSIONLOCKMISMATCH` | A table wasn't closed because it isn't associated with the session. |
+| `0x80248019` | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it's a built-in service and/or Automatic Updates can't fall back to another service. |
+| `0x8024801A` | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation isn't allowed. |
+| `0x8024801B` | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document don't match. |
+| `0x8024801C` | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
+| `0x8024801D` | `WU_E_DS_IMPERSONATED` | A data store operation didn't complete because it was requested with an impersonated identity. |
+| `0x80248FFF` | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
## Driver Util errors
-The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped.
+The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped.
| Error code | Message | Description |
|------------|-------------------------------|------------------------------------------------------------------------------------------------|
-| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. |
-| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. |
-| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. |
-| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
-| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
-| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
-| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
-| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
+| `0x8024C001` | `WU_E_DRV_PRUNED` | A driver was skipped. |
+| `0x8024C002` | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver couldn't be found. It may not conform with required specifications. |
+| `0x8024C003` | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver doesn't match the expected type. |
+| `0x8024C004` | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
+| `0x8024C005` | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
+| `0x8024C006` | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
+| `0x8024C007` | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
+| `0x8024CFFF` | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
## Windows Update error codes
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------|
-| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
-| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
-| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found.
-| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized.
-| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
-| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
-| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
-| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found.
-| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.
-| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed.
-| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled.
-| 0x8024000C | `WU_E_NOOP` | No operation was required.
-| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data.
-| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
-| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
-| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
-| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
-| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
-| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
-| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
-| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates.
-| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
-| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time.
-| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set.
-| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating.
-| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
-| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down.
-| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable.
-| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user.
-| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out.
-| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
-| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
-| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates.
-| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
-| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
-| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
-| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server.
-| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system.
-| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
-| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server.
-| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source.
-| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source.
-| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed.
-| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set.
-| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
-| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format.
-| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
-| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded.
-| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
-| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed.
-| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation.
-| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported.
-| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
-| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
-| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation.
-| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running.
-| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
-| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`.
-| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
-| 0x80070422 | | Windows Update service stopped working or is not running.
+| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
+| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
+| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found.
+| `0x80240004` | `WU_E_NOT_INITIALIZED` | The object couldn't be initialized.
+| `0x80240005` | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
+| `0x80240006` | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
+| `0x80240007` | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
+| `0x80240008` | `WU_E_ITEMNOTFOUND` | The key for the item queried couldn't be found.
+| `0x80240009` | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation can't be performed twice simultaneously.
+| `0x8024000A` | `WU_E_COULDNOTCANCEL` | Cancellation of the operation wasn't allowed.
+| `0x8024000B` | `WU_E_CALL_CANCELLED` | Operation was canceled.
+| `0x8024000C` | `WU_E_NOOP` | No operation was required.
+| `0x8024000D` | `WU_E_XML_MISSINGDATA` | Windows Update Agent couldn't find required information in the update's XML data.
+| `0x8024000E` | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
+| `0x8024000F` | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
+| `0x80240010` | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
+| `0x80240011` | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
+| `0x80240012` | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
+| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
+| `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
+| `0x80240017` | `WU_E_NOT_APPLICABLE` | Operation wasn't performed because there are no applicable updates.
+| `0x80240018` | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
+| `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time.
+| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set.
+| `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation couldn't be performed because the Windows Update Agent is self-updating.
+| `0x8024001D` | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
+| `0x8024001E` | `WU_E_SERVICE_STOP` | Operation didn't complete because the service or system was being shut down.
+| `0x8024001F` | `WU_E_NO_CONNECTION` | Operation didn't complete because the network connection was unavailable.
+| `0x80240020` | `WU_E_NO_INTERACTIVE_USER` | Operation didn't complete because there's no logged-on interactive user.
+| `0x80240021` | `WU_E_TIME_OUT` | Operation didn't complete because it timed out.
+| `0x80240022` | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
+| `0x80240023` | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
+| `0x80240024` | `WU_E_NO_UPDATE` | There are no updates.
+| `0x80240025` | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
+| `0x80240026` | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
+| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
+| `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED` | The update couldn't be uninstalled because the request didn't originate from a WSUS server.
+| `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there's an unlicensed application on the system.
+| `0x8024002A` | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
+| `0x8024002B` | `WU_E_LEGACYSERVER` | An operation didn't complete because it requires a newer version of server.
+| `0x8024002C` | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update couldn't be installed because it required the source.
+| `0x8024002D` | `WU_E_SOURCE_ABSENT` | A full-file update couldn't be installed because it required the source.
+| `0x8024002E` | `WU_E_WU_DISABLED` | Access to an unmanaged server isn't allowed.
+| `0x8024002F` | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation didn't complete because the DisableWindowsUpdateAccess policy was set.
+| `0x80240030` | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
+| `0x80240031` | `WU_E_INVALID_FILE` | The file is in the wrong format.
+| `0x80240032` | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
+| `0x80240033` | `WU_E_EULA_UNAVAILABLE` | License terms couldn't be downloaded.
+| `0x80240034` | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
+| `0x80240035` | `WU_E_UPDATE_NOT_PROCESSED` | The update wasn't processed.
+| `0x80240036` | `WU_E_INVALID_OPERATION` | The object's current state didn't allow the operation.
+| `0x80240037` | `WU_E_NOT_SUPPORTED` | The functionality for the operation isn't supported.
+| `0x80240038` | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
+| `0x80240039` | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
+| `0x80240040` | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method doesn't run on Server Core installation.
+| `0x80240041` | `WU_E_SYSPREP_IN_PROGRESS` | Service isn't available while sysprep is running.
+| `0x80240042` | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
+| `0x80240043` | `WU_E_NO_UI_SUPPORT` | There's no support for `WUA UI`.
+| `0x80240FFF` | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
+| `0x80070422` | | Windows Update service stopped working or isn't running.
## Windows Update success codes
| Error code | Message | Description |
|------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
-| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
-| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
-| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
-| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
-| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
-| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. |
-| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
+| `0x00240001` | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
+| `0x00240002` | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
+| `0x00240003` | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
+| `0x00240004` | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
+| `0x00240005` | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
+| `0x00240006` | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
+| `0x00240007` | `WU_S_ALREADY_UNINSTALLED` | The update to be removed isn't installed on the system. |
+| `0x00240008` | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
## Windows Installer minor errors
-The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.
+The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer.
| Error code | Message | Description |
|------------|------------------------------|---------------------------------------------------------------------------------------------|
-| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
-| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. |
-| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
-| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. |
-| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
+| `0x80241001` | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
+| `0x80241002` | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer isn't configured. |
+| `0x80241003` | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
+| `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user. |
+| `0x80241FFF` | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
## Windows Update Agent update and setup errors
| Error code | Message | Description |
|------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. |
-| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. |
-| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. |
-| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. |
-| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. |
-| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. |
-| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. |
-| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
-| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. |
-| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. |
-| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. |
-| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
-| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
-| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. |
-| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. |
-| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. |
-| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. |
+| `0x8024D001` | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent couldn't be updated because an INF file contains invalid information. |
+| `0x8024D002` | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent couldn't be updated because the `wuident.cab` file contains invalid information. |
+| `0x8024D003` | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent couldn't be updated because of an internal error that caused setup initialization to be performed twice. |
+| `0x8024D004` | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent couldn't be updated because setup initialization never completed successfully. |
+| `0x8024D005` | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent couldn't be updated because the versions specified in the INF don't match the actual source file versions. |
+| `0x8024D006` | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent couldn't be updated because a WUA file on the target system is newer than the corresponding source file. |
+| `0x8024D007` | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent couldn't be updated because `regsvr32.exe` returned an error. |
+| `0x8024D009` | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
+| `0x8024D00A` | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent couldn't be updated because the current system configuration isn't supported. |
+| `0x8024D00B` | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent couldn't be updated because the system is configured to block the update. |
+| `0x8024D00C` | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent couldn't be updated because a restart of the system is required. |
+| `0x8024D00D` | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
+| `0x8024D00E` | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
+| `0x8024D00F` | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent couldn't be updated because the setup handler failed during execution. |
+| `0x8024D010` | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent couldn't be updated because the registry contains invalid information. |
+| `0x8024D013` | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent couldn't be updated because the server doesn't contain update information for this version. |
+| `0x8024DFFF` | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent couldn't be updated because of an error not covered by another `WU_E_SETUP_*` error code. |
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b4ab1cd282..2279f4318c 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -2,20 +2,22 @@
title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: troubleshooting
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 12/31/2017
---
# Windows Update log files
->Applies to: Windows 10
The following table describes the log files created by Windows Update.
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index cf56c12408..7965aa2782 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -2,12 +2,15 @@
title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 09/18/2018
-ms.topic: article
-ms.technology: itpro-updates
---
# Get started with Windows Update
@@ -31,7 +34,7 @@ To understand the changes to the Windows Update architecture that UUP introduces
-- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
+- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
Update types-
@@ -51,5 +54,5 @@ To understand the changes to the Windows Update architecture that UUP introduces
Additional components include the following-
-- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
-- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.
+- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
+- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
index 9cf0c08919..ab1ed81b28 100644
--- a/windows/deployment/update/windows-update-security.md
+++ b/windows/deployment/update/windows-update-security.md
@@ -1,13 +1,16 @@
---
title: Windows Update security
manager: aaroncz
-description: Overview of the security for Windows Update.
+description: Overview of the security for Windows Update including security for the metadata exchange and content download.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
-ms.date: 10/25/2022
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 08/28/2023
---
# Windows Update security
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 96a06feeab..e29c2d0a8e 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -1,22 +1,21 @@
---
-title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
+title: Enforce compliance deadlines with policies
+titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 05/12/2023
---
# Enforcing compliance deadlines for updates
-**Applies to**
-
-- Windows 10
-- Windows 11
-
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
@@ -26,13 +25,13 @@ With a current version, it's best to use the new policy introduced in June 2019
- Update/ConfigureDeadlineGracePeriod
- Update/ConfigureDeadlineNoAutoReboot
-### Policy setting overview
+## Policy setting overview
|Policy|Description |
|-|-|
| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
-### Suggested configurations
+## Suggested configurations
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 8d7b1f616c..0e0b313437 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -1,19 +1,24 @@
---
title: Microsoft 365 admin center software updates page
+titleSuffix: Windows Update for Business reports
manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
-ms.topic: article
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Update for Business reports
+- ✅ Microsoft 365 admin center
ms.date: 04/26/2023
-ms.technology: itpro-updates
---
# Microsoft 365 admin center software updates page
-***(Applies to: Windows 11 & Windows 10 using [Windows Update for Business reports](wufb-reports-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices.
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index dc875c8675..395856651d 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -1,20 +1,21 @@
---
-title: Configuring Microsoft Intune devices for Windows Update for Business reports
-manager: aaroncz
-description: Configuring devices that are enrolled in Microsoft Intune for Windows Update for Business reports
+title: Configure devices using Microsoft Intune
+titleSuffix: Windows Update for Business reports
+description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
+appliesto:
+- ✅ Windows 11 and Windows 10 devices managed by Microsoft Intune
ms.date: 03/08/2023
-ms.technology: itpro-updates
---
# Configuring Microsoft Intune devices for Windows Update for Business reports
-***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***
-
This article is targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Windows Update for Business reports, within Microsoft Intune itself. Configuring devices for Windows Update for Business reports in Microsoft Intune breaks down to the following steps:
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 1d156ad5b7..3f3c8c7937 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -1,19 +1,22 @@
---
-title: Manually configuring devices for Windows Update for Business reports
-manager: aaroncz
-description: How to manually configure devices for Windows Update for Business reports
+title: Manually configure devices to send data
+titleSuffix: Windows Update for Business reports
+description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/15/2022
-ms.technology: itpro-updates
---
# Manually configuring devices for Windows Update for Business reports
-***(Applies to: Windows 11 & Windows 10)***
There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md
index 69feacba6f..10af47e205 100644
--- a/windows/deployment/update/wufb-reports-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@@ -1,19 +1,22 @@
---
-title: Windows Update for Business reports configuration script
-manager: aaroncz
-description: Downloading and using the Windows Update for Business reports configuration script
+title: Configure clients with a script
+titleSuffix: Windows Update for Business reports
+description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
+manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 07/11/2023
-ms.technology: itpro-updates
---
# Configuring devices through the Windows Update for Business reports configuration script
-***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business reports configuration script is the recommended method of configuring devices to send data to Microsoft for use with Windows Update for Business reports. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configure devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index ddb2f0861d..05cfa795ab 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -1,19 +1,22 @@
---
-title: Delivery Optimization data in Windows Update for Business reports
-manager: aaroncz
-description: Provides information about Delivery Optimization data in Windows Update for Business reports
+title: Delivery Optimization data in reports
+titleSuffix: Windows Update for Business reports
+description: This article provides information about Delivery Optimization data in Windows Update for Business reports.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 04/12/2023
-ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
-
-***(Applies to: Windows 11 & Windows 10)***
[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index c29c9dced3..27a5b5ad14 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -1,19 +1,21 @@
---
title: Enable Windows Update for Business reports
-manager: aaroncz
-description: How to enable Windows Update for Business reports through the Azure portal
+titleSuffix: Windows Update for Business reports
+description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 07/11/2023
-ms.technology: itpro-updates
---
# Enable Windows Update for Business reports
-***(Applies to: Windows 11 & Windows 10)***
-
After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up Windows Update for Business reports are:
1. [Add Windows Update for Business reports](#bkmk_add) to your Azure subscription. This step has the following phases:
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index 98ba761d81..60f9460966 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -1,14 +1,15 @@
### YamlMime:FAQ
metadata:
- title: Windows Update for Business reports - Frequently Asked Questions (FAQ)
+ title: Frequently Asked Questions (FAQ)
+ titleSuffix: Windows Update for Business reports
description: Answers to frequently asked questions about Windows Update for Business reports.
ms.prod: windows-client
+ ms.technology: itpro-updates
ms.topic: faq
- ms.date: 06/20/2023
manager: aaroncz
author: mestew
ms.author: mstewart
- ms.technology: itpro-updates
+ ms.date: 06/20/2023
title: Frequently Asked Questions about Windows Update for Business reports
summary: |
This article answers frequently asked questions about Windows Update for Business reports.
diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md
index 90184b8f3e..49268fb5a7 100644
--- a/windows/deployment/update/wufb-reports-help.md
+++ b/windows/deployment/update/wufb-reports-help.md
@@ -1,20 +1,21 @@
---
-title: Windows Update for Business reports feedback, support, and troubleshooting
-manager: aaroncz
-description: Windows Update for Business reports support information.
+title: Feedback, support, and troubleshooting
+titleSuffix: Windows Update for Business reports
+description: Windows Update for Business reports support, feedback, and troubleshooting information.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: article
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 02/10/2023
-ms.technology: itpro-updates
---
# Windows Update for Business reports feedback, support, and troubleshooting
-
-***(Applies to: Windows 11 & Windows 10)***
-
There are several resources that you can use to find help with Windows Update for Business reports. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Windows Update for Business reports:
- Send [product feedback about Windows Update for Business reports](#send-product-feedback)
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index 13c5e19777..a4321c74d6 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -1,19 +1,21 @@
---
title: Windows Update for Business reports overview
-manager: aaroncz
+titleSuffix: Windows Update for Business reports
description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/15/2022
-ms.technology: itpro-updates
---
# Windows Update for Business reports overview
-***(Applies to: Windows 11 & Windows 10)***
-
Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index bdd9e61896..b418f74af8 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -1,19 +1,21 @@
---
-title: Windows Update for Business reports prerequisites
-manager: aaroncz
-description: Prerequisites for Windows Update for Business reports
+title: Prerequisites for Windows Update for Business reports
+titleSuffix: Windows Update for Business reports
+description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
-ms.date: 06/27/2023
-ms.technology: itpro-updates
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 08/30/2023
---
# Windows Update for Business reports prerequisites
-***(Applies to: Windows 11 & Windows 10)***
-
Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
## Azure and Azure Active Directory
@@ -68,7 +70,7 @@ Device names don't appear in Windows Update for Business reports unless you indi
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
-## Data transmission requirements
+## Endpoints
[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 364bed3d49..6cf7e6e2a8 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -1,21 +1,25 @@
---
-title: Windows Update for Business reports Data Schema - UCClient
-manager: aaroncz
-description: UCClient schema
+title: UCClient data schema
+titleSuffix: Windows Update for Business reports
+description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 08/09/2023
-ms.technology: itpro-updates
---
# UCClient
-***(Applies to: Windows 11 & Windows 10)***
-
UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
+## Schema for UCClient
+
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index de73ebfc5b..2e6bcaa89c 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -1,21 +1,26 @@
---
-title: Windows Update for Business reports Data Schema - UCClientReadinessStatus
-manager: aaroncz
-description: UCClientReadinessStatus schema
+title: UCClientReadinessStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/06/2022
-ms.technology: itpro-updates
---
# UCClientReadinessStatus
-***(Applies to: Windows 10)***
UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
+## Schema for UCClientReadinessStatus
+
|Field |Type |Example |Description |
|---|---|---|---|
| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 1c71d9d355..1373eed6d6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -1,21 +1,26 @@
---
-title: Windows Update for Business reports Data Schema - UCClientUpdateStatus
-manager: aaroncz
-description: UCClientUpdateStatus schema
+title: UCClientUpdateStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/05/2023
-ms.technology: itpro-updates
---
# UCClientUpdateStatus
-***(Applies to: Windows 11 & Windows 10)***
Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
+## Schema for UCClientUpdateStatus
+
| Field | Type | Example | Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index e515e80e13..435324d2db 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -1,21 +1,25 @@
---
-title: Windows Update for Business reports Data Schema - UCDeviceAlert
-manager: aaroncz
-description: UCDeviceAlert schema
+title: UCDeviceAlert data schema
+titleSuffix: Windows Update for Business reports
+description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/06/2022
-ms.technology: itpro-updates
---
# UCDeviceAlert
-***(Applies to: Windows 11 & Windows 10)***
-
These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
+## Schema for UCDeviceAlert
+
|Field |Type |Example |Description |
|---|---|---|---|
| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index 25c5d1ae59..a7012d9409 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -1,22 +1,27 @@
---
-title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
-ms.reviewer: carmenf
-manager: aaroncz
-description: UCDOAggregatedStatus schema
+title: UCDOAggregatedStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+ms.reviewer: carmenf
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/17/2022
-ms.technology: itpro-updates
---
# UCDOAggregatedStatus
-***(Applies to: Windows 11 & Windows 10)***
UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
+## Schema for UCDOAggregatedStatus
+
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index 7897c27f1c..a76acc8512 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -1,22 +1,25 @@
---
-title: Windows Update for Business reports Data Schema - UCDOStatus
-ms.reviewer: carmenf
-manager: aaroncz
-description: UCDOStatus schema
+title: UCDOStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
ms.prod: windows-client
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+ms.reviewer: carmenf
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/17/2022
-ms.technology: itpro-updates
---
# UCDOStatus
-***(Applies to: Windows 11 & Windows 10)***
-
UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
+## Data schema for UCDOStatus
+
|Field |Type |Example |Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 8e8e34ea82..52989b6baf 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -1,21 +1,25 @@
---
-title: Windows Update for Business reports Data Schema - UCServiceUpdateStatus
-manager: aaroncz
-description: UCServiceUpdateStatus schema
+title: UCServiceUpdateStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/06/2022
-ms.technology: itpro-updates
---
# UCServiceUpdateStatus
-***(Applies to: Windows 11 & Windows 10)***
-
Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
+## Schema for UCServiceUpdateStatus
+
| Field | Type | Example | Description |
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index db70047ed0..c85d070cc9 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -1,21 +1,25 @@
---
-title: Windows Update for Business reports Data Schema - UCUpdateAlert
-manager: aaroncz
-description: UCUpdateAlert schema
+title: UCUpdateAlert data schema
+titleSuffix: Windows Update for Business reports
+description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/06/2022
-ms.technology: itpro-updates
---
# UCUpdateAlert
-***(Applies to: Windows 11 & Windows 10)***
-
Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses.
+## Schema for UCUpdateAlert
+
|Field |Type |Example |Description |
|---|---|---|---|
| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index cbcae6c319..8a4fc45ecb 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -1,22 +1,24 @@
---
title: Windows Update for Business reports data schema
-manager: aaroncz
-description: An overview of Windows Update for Business reports data schema
+titleSuffix: Windows Update for Business reports
+description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
author: mestew
ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/15/2022
-ms.technology: itpro-updates
---
-# Windows Update for Business reports schema
+# Windows Update for Business reports schema
-***(Applies to: Windows 11 & Windows 10)***
-
When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Windows Update for Business reports and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
-## Schema
+## Schemas for Windows Update for Business reports
The following table summarizes the different tables that are part of the Windows Update for Business reports solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md
index 6b58c8cffb..2b4f1b8b1a 100644
--- a/windows/deployment/update/wufb-reports-use.md
+++ b/windows/deployment/update/wufb-reports-use.md
@@ -1,19 +1,21 @@
---
title: Use the Windows Update for Business reports data
-manager: aaroncz
+titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 11/15/2022
-ms.technology: itpro-updates
---
# Use Windows Update for Business reports
-***(Applies to: Windows 11 & Windows 10)***
-
In this article, you'll learn how to use Windows Update for Business reports to monitor Windows updates for your devices. To configure your environment for use with Windows Update for Business reports, see [Enable Windows Update for Business reports](wufb-reports-enable.md).
## Display Windows Update for Business reports data
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index df61f9ca36..d024ceda0d 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -1,20 +1,21 @@
---
title: Use the workbook for Windows Update for Business reports
-manager: aaroncz
-description: How to use the Windows Update for Business reports workbook.
+titleSuffix: Windows Update for Business reports
+description: How to use the Windows Update for Business reports workbook from the Azure portal.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
ms.date: 06/23/2023
-ms.technology: itpro-updates
---
# Windows Update for Business reports workbook
-***(Applies to: Windows 11 & Windows 10)***
-
-
[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections:
- [Summary](#summary-tab)
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index c6bd179c95..295f638ff4 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -2,22 +2,20 @@
title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
author: mestew
-ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 01/13/2022
---
# Use Windows Update for Business and WSUS together
-**Applies to**
-
-- Windows 10
-- Windows 11
-
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
@@ -70,13 +68,10 @@ The policy can be configured using the following two methods:
2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor<Update Type>**:
> [!NOTE]
-> You should configure **all** of these policies if you are using CSPs.
+> - You should configure **all** of these policies if you are using CSPs.
+> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
- [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
- [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
- [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)
-
-
-> [!NOTE]
-> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred.
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index ad017e7f92..2ee3c1c6fc 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -10,6 +10,8 @@
href: overview/windows-autopatch-roles-responsibilities.md
- name: Privacy
href: overview/windows-autopatch-privacy.md
+ - name: Deployment guide
+ href: overview/windows-autopatch-deployment-guide.md
- name: FAQ
href: overview/windows-autopatch-faq.yml
- name: Prepare
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png
new file mode 100644
index 0000000000..1e898235fa
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
index e3b0793469..c41dd12e0c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -53,4 +53,4 @@ You can view the excluded devices in the **Not registered** tab to make it easie
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select the device(s) you want to restore.
-1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.
+1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore excluded device**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 57b9aa5aad..34a3b93fab 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates overview with Autopatch groups experience
description: This article explains how Windows quality updates are managed with Autopatch groups
-ms.date: 07/25/2023
+ms.date: 08/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -24,17 +24,17 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
| Policy | Description |
| ----- | ----- |
| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
-| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
+| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
-For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
+For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
## Service level objective
-Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Note that devices that have cadence type set to Schedule install won't be eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence).
+Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Devices that have cadence type set to Schedule install aren't eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence).
> [!IMPORTANT]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@@ -54,7 +54,7 @@ In the Release management blade, you can:
For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
-- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
+- The status of the update. Releases appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
- The date the update is available.
- The target completion date of the update.
- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release.
@@ -63,7 +63,7 @@ For each [deployment ring](windows-autopatch-update-management.md#windows-autopa
Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
-When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
+When expediting a release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
| Release type | Group | Deferral | Deadline | Grace period |
| ----- | ----- | ----- | ----- | ----- |
@@ -87,7 +87,7 @@ By default, the service expedites quality updates as needed. For those organizat
Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
-For the deployment rings that have passed quality updates deferral date, the OOB release schedule will be expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs will be released as per the set deferral dates.
+For the deployment rings that have passed quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs is released as per the set deferral dates.
**To view deployed Out of Band quality updates:**
@@ -114,19 +114,19 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Windows Autopatch** section, select **Release management**.
-1. In the **Release management** blade, got to the **Release schedule** tab and select **Windows quality updates**.
-1. Select the Autopatch group that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu.
-1. Select a reason from the dropdown menu.
-1. Optional. Enter details about why you're pausing or resuming the selected update.
-1. If you're resuming an update, you can select one or more deployment rings.
-1. Select **Okay**.
+1. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.
+1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu.
+1. Optional. Enter the justification(s) about why you're pausing or resuming the selected update.
+1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update.
+1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings.
+1. Select **Pause or Resume deployment**.
The three following statuses are associated with paused quality updates:
| Status | Description |
| ----- | ------ |
-| Paused by Service | If the Windows Autopatch service has paused an update, the release will have the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. |
-| Paused by Tenant | If you've paused an update, the release will have the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. |
+| Paused by Service | If the Windows Autopatch service has paused an update, the release has the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. |
+| Paused by Tenant | If you've paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. |
## Remediating Not ready and/or Not up to Date devices
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
index df57df3874..881bb60534 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -1,7 +1,7 @@
---
title: Manage driver and firmware updates
description: This article explains how you can manage driver and firmware updates with Windows Autopatch
-ms.date: 08/21/2023
+ms.date: 08/22/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -46,16 +46,16 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Driver updates for Windows 10 and later**.
-1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**.
+1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**.
The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table:
| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
| ----- | ----- | ----- | ----- | ----- |
-| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` |
-
-> [!NOTE]
-> In public preview, the DeploymentDeferralInDays setting is set to `0` for all deployment rings.
+| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
+| `CreateDriverUpdatePolicy`| Windows Autopatch – Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
+| `CreateDriverUpdatePolicy` |Windows Autopatch – Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
+| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
## Feedback and support
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
new file mode 100644
index 0000000000..fb1b851773
--- /dev/null
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
@@ -0,0 +1,337 @@
+---
+title: Windows Autopatch deployment guide
+description: This guide explains how to successfully deploy Windows Autopatch in your environment
+ms.date: 08/24/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: hathind
+ms.collection:
+ - tier2
+---
+
+# Windows Autopatch deployment guide
+
+As organizations move to support hybrid and remote workforces, and continue to adopt cloud-based endpoint management with services such as Intune, managing updates is critical.
+
+Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
+
+A successful Windows Autopatch deployment starts with planning and determining your objectives. Use this deployment guide to plan your move or migration to Windows Autopatch.
+
+This guide:
+
+- Helps you plan your deployment and adopt Windows Autopatch
+- Lists and describes some common objectives
+- Provides a recommended deployment plan
+- Provides migration considerations for Windows Update for Business (WUfB) and Microsoft Configuration Manager
+- Lists some common general considerations when deploying Windows Autopatch
+- Provides suggested business case benefits and communication guidance
+- Gives additional guidance and how to join the Autopatch community
+
+## Determine your objectives
+
+This section details some common objectives when using Windows Autopatch.
+
+Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives.
+
+Use Windows Autopatch to solve the following challenges:
+
+- Difficulty developing and defending update cadence and general best practices
+- Increase visibility and improve issue reporting
+- Achieving a consistent update success rate
+- Standardize and optimize the configuration for devices, policies, tools and versions across their environment
+- Transition to modern update management by configuring Intune and Windows Update for Business
+- Make update processes more efficient and less reliant on IT admin resources
+- Address vulnerabilities and Windows quality updates as soon as possible to improve security
+- Assist with compliance to align with industry standards
+- Invest more time on value-add IT projects rather than monthly updates
+- Planning and managing Windows feature updates
+- Transition to Windows 11
+
+## Recommended deployment steps
+
+The following deployment steps can be used as a guide to help you to create your organization's specific deployment plan to adopt and deploy Windows Autopatch.
+
+:::image type="content" source="../media/windows-autopatch-deployment-journey.png" alt-text="Windows Autopatch deployment journey" lightbox="../media/windows-autopatch-deployment-journey.png":::
+
+### Step one: Prepare
+
+[Review the prerequisites](../prepare/windows-autopatch-prerequisites.md) and [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) into the Windows Autopatch service. At this stage, your devices aren't affected. You can enroll your tenant and review the service options before registering your devices.
+
+| Step | Description |
+| ----- | ----- |
+| **1A: Set up the service** | - Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
- Review and understand [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
- Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
- Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) completed successfully
|
+| **1B: Confirm update service needs and configure your workloads** | - [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md): Expedite preferences and cadence customizations
- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md): Servicing version preferences
- [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md): Set to either Manual or Automatic
- [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md): Set to either Monthly Enterprise Channel or opt-out
- [Microsoft Edge](../operate/windows-autopatch-edge.md): Required. Beta and Stable Channel
- [Microsoft Teams](../operate/windows-autopatch-teams.md): Required. Automatic
|
+| **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
- Review your device inventory and consider a representative mix of devices across your distribution
- Review your Azure AD groups that you wish to use to register devices into the service
- Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)
|
+| **1D: Review network optimization** | It's important to [prepare your network](../prepare/windows-autopatch-configure-network.md) to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure.
A recommended approach to manage bandwidth consumption is to utilize [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. |
+
+### Step two: Evaluate
+
+Evaluate Windows Autopatch with around 50 devices to ensure the service meets your needs. You can adjust this number based on your organizational make-up. It's recommended to monitor one update cycle during this evaluation step.
+
+| Step | Description |
+| ----- | ----- |
+| **2A: Review reporting capabilities** | - [Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)
- [Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)
- [Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)
Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.
There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.
For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.|
+| **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.
- Identify service desk and end user computing process changes
- Identify any alignment with third party support agreements
- Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options
- Identify IT admin process change & service interaction points
|
+| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
[Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)- [Microsoft Edge](../operate/windows-autopatch-edge.md)
- [Microsoft Teams](../operate/windows-autopatch-teams.md)
Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
- Gain knowledge and experience in identifying and resolving update issues more effectively
- Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes
Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). |
+| **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. |
+
+### Step three: Pilot
+
+Plan to pilot the service with around 500 devices to provide sufficient pilot coverage to be ready for deployment. You can adjust this number based on your organizational make-up. It's recommended to monitor one to two update cycles during the pilot step.
+
+| Step | Description |
+| ----- | ----- |
+| **3A: Register devices** | Register pilot device group(s) |
+| **3B: Monitor update process success** |- Quality update: One to two update cycles
- Feature update: Set of pilot devices scheduled across several weeks
- Drivers and firmware: One to two update cycles
- Microsoft 365 Apps for enterprise (if not opted-out): One to two update cycles
- Microsoft Edge: One to two update cycles
- Microsoft Teams: One to two update cycles
|
+| **3C: Review reports** |- [Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles
- [Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule
- [Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles
|
+| **3D: Implement operational changes** |- Pilot Service Desk, end user computing and third party (if applicable) process changes with pilot representatives
- IT admins must:
- Review deployment progress using Windows Autopatch reports
- Respond to identified actions to help improve success rates
|
+| **3E: Communicate with stakeholders** | Review and action your stakeholder communication plan. |
+| **3F: Deployment planning** | Prepare target deployment groups for phased deployment of Windows Autopatch. |
+
+### Step four: Deploy
+
+Following a successful pilot, you can commence deployment to your broader organization. The pace at which you deploy is dependent on your own requirements; for example, deploying in groups of 500 to 5000 per week are commonly used approaches to complete the deployment of Windows Autopatch.
+
+| Step | Description |
+| ----- | ----- |
+| **4A: Review reports** |- Review deployment progress using Windows Autopatch reports
- Respond to identified actions to help improve success rates
|
+| **4B: Communicate with stakeholders** | Review and action your stakeholder communication plan |
+| **4C: Complete operational changes** |- Service Desk readiness is complete and in place
- IT admins take the required action(s) based on the Autopatch reports
|
+
+## Migration considerations
+
+If you're an existing Windows Update for Business (WUfB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path.
+
+### Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch?
+
+Customers who are using Windows Update for Business (WUfB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides.
+
+When moving from Windows Update for Business (WUfB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with.
+
+Once migrated, there are several configuration tasks that you no longer need to carry out:
+
+| Autopatch benefit | Configuration Manager | Windows Update for Business (WUfB) |
+| ----- | ----- | ----- |
+| Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:- Download updates
- Distribute to distribution points
- Target update collections
| Manage "static" deployment ring policies |
+| Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership |
+| Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies |
+| Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals |
+| Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Azure AD groups |
+
+In addition to the reports, other benefits include:
+
+| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
+| ----- | ----- |
+| Windows quality and feature update reports with integrated alerts, deep filtering, and status-at-a-glance | Requires you to manually navigate and hunt for status and alerts |
+| Filter by action needed with integrated resolution documentation | Requires you to research and discover possible actions relating to update issues |
+| Better visibility for IT admins, Security compliance and proof for regulator | Requires you to pull together different reports and views across multiple admin portals |
+
+Service management benefits include:
+
+| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
+| ----- | ----- |
+| Windows automation and Microsoft Insights | First or third-party resources required to support and manage updates internally |
+| Microsoft research and insights determine the 'go/no-go' for your update deployment | Limited signals and insights from your organization to determine the 'go/no-go' for your update deployment |
+| Windows Autopatch might pause or roll back an update. The pause or rollback is dependent on the scope of impact and to prevent end user disruption | Manual intervention required, widening the potential impact of any update issues |
+| By default, Windows Autopatch [expedites quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) as needed. | Manual intervention required, widening the potential impact of any update issues |
+
+### Migrating from Windows Update for Business (WUfB) to Windows Autopatch
+
+#### Assessing your readiness to migrate from Windows Update for Business (WUfB) to Windows Autopatch
+
+When moving from Windows Update for Business (WUfB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment:
+
+| Step | Assessment step | Recommendation |
+| ----- | ----- | ----- |
+| **1** | "User based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) |
+| **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, your teams should understand that your Windows Autopatch devices use these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). |
+| **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is using a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out Microsoft 365 Apps for enterprise updates. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) |
+| **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
+| **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WUfB) it's likely you already have your network optimization solution in place. For more information, see [Review network optimization](#step-one-prepare) |
+
+### Optimized deployment path: Windows Update for Business (WUfB) to Windows Autopatch
+
+Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path:
+
+| Step | Example timeline | Task |
+| ----- | ----- | ----- |
+| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service- Prepare your environment, review existing update policies and [General Considerations](#general-considerations)
- Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
- Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
- Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully
|
+| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one | - [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
- [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
- [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge](../operate/windows-autopatch-edge.md)
- [Microsoft Teams](../operate/windows-autopatch-teams.md)
- Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
|
+| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
+| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
+| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
+
+### Migrating from Configuration Manager to Windows Autopatch
+
+Regardless of if you're migrating from Configuration Manager to Microsoft Intune or if you're remaining with Configuration Manager, if you're currently using Configuration Manager to manage updates, you can migrate the update workloads to Windows Autopatch and take advantage of the key benefits for your Configuration Manager environment.
+
+#### Assessing your readiness to migrate from Configuration Manager to Windows Autopatch
+
+When you migrate from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune.
+
+| Step | Assessment step | Recommendation |
+| ----- | ----- | ----- |
+| **1** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.
If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) |
+| **2** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:- Windows Update policies workload
- Device configuration workload
- Office Click-to-Run apps workload
If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) |
+| **3** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
+| **4** | Ensure Configuration Manager collections or Azure AD device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Azure AD device groups, or Configuration Manager collections. Ensure you have either Azure AD device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |
+
+### Optimized deployment path: Configuration Manager to Windows Autopatch
+
+Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path:
+
+| Step | Example timeline | Task |
+| ----- | ----- | ----- |
+| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service- Prepare your environment, review existing update policies and [General Considerations](#general-considerations).
- Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service
- Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)
- Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully.
|
+| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one | - [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
- [Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
- [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge](../operate/windows-autopatch-edge.md)
- [Microsoft Teams](../operate/windows-autopatch-teams.md)
- Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
|
+| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
+| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
+| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
+
+## General considerations
+
+As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch.
+
+Many organizations have existing policies and device management infrastructure, for example:
+
+- Group Policy Objects (GPO)
+- Registry settings
+- Configuration Manager
+- Existing Mobile Device Management (MDM) policies
+- Servicing profiles for Microsoft 365 Apps
+
+It's a useful exercise to create a baseline of your policies and existing settings to map out the configuration that could impact your move to Windows Autopatch.
+
+### Group policy
+
+Review existing policies and their structure. Some policies might apply globally, some apply at the site level, and some are specific to a device. The goal is to know and understand the intent of global policies, the intent of local policies, and so on.
+
+On-premises AD group policies are applied in the LSDOU order (Local, Site, Domain, and Organizational Unit (OU)). In this hierarchy, OU policies overwrite domain policies, domain policies overwrite site policies, and so on.
+
+| Area | Path | Recommendation |
+| ----- | ----- | ----- |
+| Windows Update Group Policy settings | `Computer Configuration\Administrative Templates\Windows Components\Windows Updates` | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. |
+| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WUfB)
When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WUfB), and Delivery Optimization to stop working. |
+| Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WUfB) service with the Windows Update Scan Source policy.
You should review any scan source policy settings targeting devices to ensure:- That no conflicts exist that could affect update deployment through Windows Autopatch
- Such policies aren't targeting devices enrolled into Windows Autopatch
|
+
+### Registry settings
+
+Any policies, scripts or settings that create or edit values in the following registry keys might interfere with Windows and Office Update settings delivered through Autopatch. It's important to understand how these settings interact with each other and with the Windows and Office Update service as part of your Autopatch planning.
+
+| Key | Description |
+| ----- | ----- |
+| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
(Intune MDM only cloud managed)
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
(If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
+| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU`
(If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
+| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update`
(GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
+| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration`
(GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).
Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.
For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
+
+> [!NOTE]
+> For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see [Manage additional Windows Update settings](/windows/deployment/update/waas-wu-settings).
+
+### Configuration Manager
+
+#### Windows and Microsoft 365 Apps for enterprise updates
+
+When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies.
+
+Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager.
+
+To ensure that Software Update Policies don't conflict with Windows Update for Business (WUfB) and Office Update policies, create a Software Update Policy in Configuration Manager that has:
+
+- Windows and Office Update configuration disabled
+- Includes devices enrolled into Autopatch to remove any existing configuration(s).
+
+If this policy remains live, confirm that Autopatch devices aren't included in the live Software Update Policy in Configuration Manager.
+
+All devices that are enrolled in Autopatch use Windows and Office Update policies from the service, and any configurations that are applied through Configuration Manager Software Update Policies can be removed.
+
+For example, Configuration Manager Software Update Policy settings exclude Autopatch enrolled devices from receiving conflicting configuration for Windows and Office Updates:
+
+| Device setting | Recommended configuration |
+| ----- | ----- |
+| Enable software updates | No |
+| Enable management of the Office 365 Client Agent | No |
+
+> [!NOTE]
+> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren’t in use.
+
+#### Existing Mobile Device Management (MDM) policies
+
+| Policy | Description |
+| ----- | ----- |
+| **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.
When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.
This setting doesn't apply to all scenarios. This setting doesn't work for:- User scoped settings. This setting applies to device scoped settings only
- Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings
- Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect
For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) |
+| **Windows Update for Business (WUfB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. |
+| **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. |
+
+#### Servicing profiles for Microsoft 365 Apps for enterprise
+
+You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using [Servicing profiles](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#compatibility-with-servicing-profiles). A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#device-eligibility) regardless of existing management tools in your environment.
+
+You can consider retargeting servicing profiles to non-Windows Autopatch devices or if you plan to continue using them, you can [block Windows Autopatch delivered Microsoft 365 App updates](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#allow-or-block-microsoft-365-app-updates) for Windows Autopatch-enrolled devices.
+
+## Business case
+
+Part of your planning might require articulating the business benefits of moving to Windows Autopatch from your existing update solution(s). Windows Autopatch provides several resources to help when building your business case.
+
+- [How Windows Autopatch works for you](https://www.microsoft.com/microsoft-365/windows/autopatch)
+- [What is Windows Autopatch?](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note3)
+- [Forrester - The Projected Total Economic Impact™ Of Windows Autopatch: Cost Savings And Business Benefits Enabled By Windows Autopatch](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note6)
+- [Windows Autopatch Skilling snack](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/skilling-snack-windows-autopatch/ba-p/3787448)
+
+## Stakeholder communications
+
+Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate.
+
+- Identify groups impacted by the Autopatch deployment
+- Identify key stakeholders in the impacted groups
+- Determine the types of communications needed
+- Develop your messaging based on the [Recommended deployment steps](#recommended-deployment-steps)
+- Create your stakeholder and communication plan schedule based on the [Recommended deployment steps](#recommended-deployment-steps)
+- Have communications drafted and reviewed, and consider your delivery channels such as:
+ - Social media posts
+ - Internal messaging app (for example, Microsoft Teams)
+ - Internal team site
+ - Email
+ - Company blog
+ - Prerecorded on-demand videos
+ - Virtual meeting(s)
+ - In-person meetings
+ - Team workshops
+- Deploy your stakeholder communication plan
+
+## Review your objectives and business case with stakeholders
+
+Review your original objectives and business case with your key stakeholders to ensure your outcomes have been met and to ensure your expected value has been achieved.
+
+## Need additional guidance?
+
+If you need assistance with your Windows Autopatch deployment journey, you have the following support options:
+
+- Microsoft Account Team
+- [Microsoft FastTrack](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request#microsoft-fasttrack)
+- Windows Autopatch Service Engineering Team
+ - [Tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md)
+ - [General support request](../operate/windows-autopatch-support-request.md)
+
+First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.
+
+### Windows Autopatch Private Community (APC)
+
+Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can:
+
+- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers
+- Gain access to:
+ - Exclusive virtual meetings
+ - Focus groups
+ - Surveys
+ - Teams discussions
+ - Previews
+
+### Windows Autopatch Technology Adoption Program (TAP)
+
+If you have at least 500 devices enrolled in the service, and will test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 1a0e660f16..425952dd5a 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 08/08/2023
+ms.date: 08/31/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -30,6 +30,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
| Review the [FAQ](../overview/windows-autopatch-faq.yml) | :heavy_check_mark: | :x: |
| [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
+| Consult the [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
@@ -38,6 +39,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Manage and respond to tenant enrollment support requests](../prepare/windows-autopatch-enrollment-support-request.md) | :x: | :heavy_check_mark: |
| Identify stakeholders for deployment communications | :heavy_check_mark: | :x: |
+For more information and assistance with preparing for your Windows Autopatch deployment journey, see [Need additional guidance](../overview/windows-autopatch-deployment-guide.md#need-additional-guidance).
+
## Deploy
| Task | Your responsibility | Windows Autopatch |
@@ -46,7 +49,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience- [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
- [Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)
- [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
- [Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)
- [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
| Review network optimization- [Prepare your network](../prepare/windows-autopatch-configure-network.md)
- [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: |
-| Review existing configurations
- Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
| :heavy_check_mark: | :x: |
+| Review existing configurations- Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
- Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)
| :heavy_check_mark: | :x: |
| Confirm your update service needs and configure your workloads- [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)
- [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)
- [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
- [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)
- Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
| :heavy_check_mark: | :x: |
| [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)- [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)
- [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
| :heavy_check_mark: | :x: |
| [Register devices](../deploy/windows-autopatch-register-devices.md)- [Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)
- [Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
@@ -83,11 +86,11 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
-| Maintain existing configurations
- Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
| :heavy_check_mark: | :x: |
+| Maintain existing configurations- Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
- Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)
| :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are- [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
- [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
- have [Device alerts](../operate/windows-autopatch-device-alerts.md)
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
-| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
+| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index d814cd921f..0eb84588e2 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 08/21/2023
+ms.date: 08/31/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -27,10 +27,19 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
+| [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | New guide. This guide explains how to successfully deploy Windows Autopatch in your environment |
+| [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added the **This pause is related to Windows Update** option to the [Pause and resume a release feature](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) |
+| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)| Added [policy settings](../operate/windows-autopatch-manage-driver-and-firmware-updates.md#view-driver-and-firmware-policies-created-by-windows-autopatch) for all deployment rings |
| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | General Availability- [MC661218](https://admin.microsoft.com/adminportal/home#/MessageCenter)
|
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature - [MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)
|
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
+## August service releases
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Service Improvements |
+
## July 2023
### July feature releases or updates
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index eaf509458d..7c130ac1f2 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -4,6 +4,7 @@ description: This article provides a description of AppLocker and can help you d
ms.collection:
- highpri
- tier3
+- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 06/07/2023
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
index 1909066094..c7086b6b5e 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
@@ -2,7 +2,7 @@
title: Deploy WDAC policies using Mobile Device Management (MDM)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
ms.localizationpriority: medium
-ms.date: 01/23/2023
+ms.date: 08/30/2023
ms.topic: how-to
---
@@ -28,10 +28,10 @@ Intune's built-in Windows Defender Application Control support allows you to con
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
> [!NOTE]
-> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
+> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
> [!NOTE]
-> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies without a restart.
+> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.
To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
@@ -46,6 +46,9 @@ You should now have one or more WDAC policies converted into binary form. If not
Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
+> [!NOTE]
+> You must convert your custom policy XML to binary form before deploying with OMA-URI.
+
The steps to use Intune's custom OMA-URI functionality are:
1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
@@ -53,10 +56,9 @@ The steps to use Intune's custom OMA-URI functionality are:
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
+ - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf.
- > [!div class="mx-imgBorder"]
- > 
+ :::image type="content" alt-text="Configure custom WDAC." source="../images/wdac-intune-custom-oma-uri.png" lightbox="../images/wdac-intune-custom-oma-uri.png":::
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index a190d84898..d38b2eff55 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -5,6 +5,7 @@ ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
+- must-keep
ms.date: 06/06/2023
ms.topic: article
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
index 53788ab824..170525c906 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
@@ -3,6 +3,8 @@ title: Managing CI Policies and Tokens with CiTool
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
ms.topic: how-to
ms.date: 04/05/2023
+appliesto:
+- ✅ Windows 11
---
# CiTool technical reference
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 7ee7a13013..22e5196913 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -5,7 +5,8 @@ ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
-ms.date: 04/06/2023
+- must-keep
+ms.date: 08/30/2023
ms.topic: article
---
@@ -32,9 +33,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## WDAC and Smart App Control
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
-Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@@ -47,7 +48,7 @@ Smart App Control is only available on clean installation of Windows 11 version
### Smart App Control Enforced Blocks
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 84fafe0fa1..817a43769a 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -77,7 +77,6 @@
"application-security//**/*.yml": "vinaypamnani-msft",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
"application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974",
- "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"hardware-security/**/*.md": "vinaypamnani-msft",
"hardware-security/**/*.yml": "vinaypamnani-msft",
"information-protection/**/*.md": "vinaypamnani-msft",
@@ -98,8 +97,6 @@
"application-security//**/*.yml": "vinpa",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
"application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther",
- "application-security/application-control/user-account-control/*.md": "paoloma",
- "application-security/application-control/user-account-control/*.yml": "paoloma",
"hardware-security//**/*.md": "vinpa",
"hardware-security//**/*.yml": "vinpa",
"information-protection/**/*.md": "vinpa",
@@ -224,14 +221,14 @@
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
- "application-security/application-control/windows-defender-application-control/**/*.md": "tier3",
+ "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
- "operating-system-security/network-security/windows-firewall/*.md": "tier3"
+ "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
}
},
"template": [],
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index e94b2d4cec..5a6e9fd2c9 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/14/2023
+ms.date: 08/31/2023
title: Additional mitigations
description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
ms.topic: reference
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 30a9d32913..be0448cba0 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -1,7 +1,7 @@
---
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
-ms.date: 08/14/2023
+ms.date: 08/31/2023
ms.collection:
- highpri
- tier2
@@ -14,7 +14,8 @@ This article describes how to configure Credential Guard using Microsoft Intune,
## Default enablement
-Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Gurad remotely, if needed.\
+Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+
If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings.
While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article.
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index f8bc11b54b..d03edd96af 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/16/2023
+ms.date: 08/31/2023
title: Considerations and known issues when using Credential Guard
description: Considerations, recommendations and known issues when using Credential Guard.
ms.topic: troubleshooting
@@ -11,7 +11,8 @@ It's recommended that in addition to deploying Credential Guard, organizations m
## Wi-fi and VPN considerations
-When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\
+When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+
If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
@@ -115,13 +116,13 @@ Devices that use 802.1x wireless or wired network, RDP, or VPN connections that
#### Affected devices
-Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
> [!TIP]
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
-> If it's' present, the device enables Credential Guard after the update.
+> If it's present, the device enables Credential Guard after the update.
>
> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index 181b081369..69eef9c3f9 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/16/2023
+ms.date: 08/31/2023
title: How Credential Guard works
description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.topic: conceptual
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 7b4a51586d..66d5ae8bf4 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -1,7 +1,7 @@
---
title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
-ms.date: 08/08/2023
+ms.date: 08/31/2023
ms.topic: overview
ms.collection:
- highpri
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index c3af27ecfb..63fdfc2e7a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -68,7 +68,9 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
- 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization
+ 3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
+ >[!NOTE]
+ >After accepance, the redirect page will show a blank page. This is a known behavior.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
@@ -178,7 +180,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
**Applies to:** Azure AD joined devices
-PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
+PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
@@ -196,7 +198,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
- Data type: String
- Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**
|
> [!NOTE]
-> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
+> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
## Use PIN reset
@@ -241,5 +243,5 @@ You may find that PIN reset from Settings only works post sign in. Also, the loc
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[INT-1]: /mem/intune/configuration/settings-catalog
-[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&redirect_uri=https%3A%2F%2Fcred.microsoft.com&prompt=admin_consent
-[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&prompt=admin_consent
+[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
+[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index d1059a1570..4765ae8d4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -174,7 +174,7 @@ If you deployed Windows Hello for Business using the key trust model, and want t
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
-1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+1. For Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 9dafd8be5b..690c5f984c 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -317,7 +317,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
> 1. Enable the setting.
> 1. Save changes again.
>
-> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
+> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
deleted file mode 100644
index fe2fb5b3e9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configure Personal Data Encryption (PDE) in Intune
-description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-
-
-
-# Configure Personal Data Encryption (PDE) policies in Intune
-
-The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
-
-## Required prerequisites
-
-1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-## Security hardening recommendations
-
-1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-1. [Disable hibernation](intune-disable-hibernation.md)
-1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## See also
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
new file mode 100644
index 0000000000..7a7277136f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -0,0 +1,141 @@
+---
+title: PDE settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+ms.topic: how-to
+ms.date: 08/11/2023
+---
+
+# PDE settings and configuration
+
+This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+
+> [!NOTE]
+> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+>
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+## PDE settings
+
+The following table lists the required settings to enable PDE.
+
+| Setting name | Description |
+|-|-|
+|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+
+## PDE hardening recommendations
+
+The following table lists the recommended settings to improve PDE's security.
+
+| Setting name | Description |
+|-|-|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
+
+## Configure PDE with Microsoft Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
+|**Memory Dump**|Allow Live Dump|Block|
+|**Memory Dump**|Allow Crash Dump|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled|
+|**Power**|Allow Hibernate|Block|
+|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
+```
+
+## Configure PDE with CSP
+
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|``|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|``|
+|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``|
+
+## Disable PDE
+
+Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+
+### Disable PDE with a settings catalog policy in Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+### Disable PDE with CSP
+
+You can disable PDE with CSP using the following setting:
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
+
+## Decrypt PDE-encrypted content
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+
+1. Open the properties of the file
+1. Under the **General** tab, select **Advanced...**
+1. Uncheck the option **Encrypt contents to secure data**
+1. Select **OK**, and then **OK** again
+
+PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on multiple of devices
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+
+ ```cmd
+ cipher.exe /d /s:
+ ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+ ```cmd
+ cipher.exe /d
+ ```
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+
+## Next steps
+
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider
+[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
+
+[WINS-1]: /windows-server/administration/windows-commands/cipher
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
similarity index 73%
rename from windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 0429e74204..9dbd3b3def 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
- ms.date: 03/13/2023
+ ms.date: 08/11/2023
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -45,17 +45,9 @@ sections:
answer: |
No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: How can it be determined if a file is protected with PDE?
- answer: |
- - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
- 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
- 2. Select the **Details** button.
- 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
- - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
-
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
@@ -64,9 +56,3 @@ sections:
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-CBC with a 256-bit key to encrypt content.
-
-additionalContent: |
- ## See also
- - [Personal Data Encryption (PDE)](index.md)
- - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
-
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
deleted file mode 100644
index b34908147d..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.topic: include
-ms.date: 03/13/2023
----
-
-
-
-
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
-
-PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 83e0433698..0608ea1a7c 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,89 +2,40 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
-ms.date: 03/13/2023
+ms.date: 08/11/2023
---
# Personal Data Encryption (PDE)
-[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
-[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
+PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
+
+The use of Windows Hello for Business offers the following advantages:
+
+- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
+- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+
+PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
## Prerequisites
-### Required
+To use PDE, the following prerequisites must be met:
-- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
-- Windows 11, version 22H2 and later Enterprise and Education editions
+- Windows 11, version 22H2 and later
+- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
-### Not supported with PDE
+> [!IMPORTANT]
+> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
-- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
-- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
-- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- Remote Desktop connections
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
- Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
- When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
- - On-premises Active Directory joined devices:
-
- - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
- - A password is required immediately after the screen turns off.
-
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
- - Workgroup devices, including Azure AD joined devices:
-
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
- Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
- Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
@@ -103,27 +54,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has
Scenarios where a user will be denied access to PDE protected content include:
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If protected via level 2 protection, when the device is locked.
-- When trying to access content on the device remotely. For example, UNC network paths.
-- Remote Desktop sessions.
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
-
-## How to enable PDE
-
-To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **1**
-
-There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
+- If protected via level 2 protection, when the device is locked
+- When trying to access content on the device remotely. For example, UNC network paths
+- Remote Desktop sessions
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
## Differences between PDE and BitLocker
@@ -132,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
-| Files protected | Individual specified files | Entire volume/drive |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
+| Protected content | All files in protected folders | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
@@ -143,61 +78,38 @@ The main difference between protecting files with PDE instead of EFS is the meth
To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. In the **Advanced Attributes** windows, select **Details**
+1. Under the **General** tab, select **Advanced...**
+1. In the **Advanced Attributes** windows, select **Details**
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
-## Disable PDE and decrypt content
+## Recommendations for using PDE
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+The following are recommendations for using PDE:
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
-
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
-
-PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
-
-- Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
-
-To decrypt files on a device using `cipher.exe`:
-
-- Decrypt all files under a directory including subdirectories:
-
- ```cmd
- cipher.exe /d /s:
- ```
-
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
-
- ```cmd
- cipher.exe /d
- ```
-
-> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
## Windows out of box applications that support PDE
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
-- Mail
- - Supports protecting both email bodies and attachments
+| App name | Details |
+|-|-|
+| Mail | Supports protecting both email bodies and attachments|
-## See also
+## Next steps
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
-- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+
+
+[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
+[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
deleted file mode 100644
index 9fda445c43..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-ms.topic: how-to
-ms.date: 06/01/2023
----
-
-# Disable Winlogon automatic restart sign-on (ARSO) for PDE
-
-Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
-
-## Disable Winlogon automatic restart sign-on (ARSO) in Intune
-
-To disable ARSO using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Templates**
- 1. When the templates appear, under **Template name**, select **Administrative templates**
- 1. Select **Create** to close the **Create profile** window.
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable ARSO**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. On the left pane of the page, make sure **Computer Configuration** is selected
- 1. Under **Setting name**, scroll down and select **Windows Components**
- 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
- 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
- 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
deleted file mode 100644
index ef18936b1b..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Disable hibernation for PDE in Intune
-description: Disable hibernation for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable hibernation for PDE
-
-Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
-
-## Disable hibernation in Intune
-
-To disable hibernation using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Hibernation**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, scroll down and select **Power**
- 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
deleted file mode 100644
index 66a238e3c9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable kernel-mode crash dumps and live dumps for PDE
-
-Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
-
-## Disable kernel-mode crash dumps and live dumps in Intune
-
-To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
- 1. Next to **Description**, enter a description.
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, scroll down and select **Memory Dump**
- 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
deleted file mode 100644
index 4cf442e308..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
- - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- - A password is required immediately after the screen turns off
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
-
-To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
- 1. Next to **Description**, enter a description
- 1. Select **Next**.
-
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, expand **Administrative Templates**
- 1. Under **Administrative Templates**, scroll down and expand **System**
- 1. Under **System**, scroll down and select **Logon**
- 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
- 1. select **Next**
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
deleted file mode 100644
index 39fe957317..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
-
-To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Settings catalog**
- 1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In the **Configuration settings** page:
- 1. Select **Add settings**
- 1. In the **Settings picker** window that opens:
- 1. Under **Browse by category**, expand **Administrative Templates**
- 1. Under **Administrative Templates**, scroll down and expand **Windows Components**
- 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
- 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
- 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
- 1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
deleted file mode 100644
index 795504237c..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Enable Personal Data Encryption (PDE) in Intune
-description: Enable Personal Data Encryption (PDE) in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Enable Personal Data Encryption (PDE)
-
-By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-## Enable Personal Data Encryption (PDE) in Intune
-
-To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
- 1. Under **Platform**, select **Windows 10 and later**
- 1. Under **Profile type**, select **Templates**
- 1. When the templates appears, under **Template name**, select **Custom**
- 1. Select **Create** to close the **Create profile** window
-1. The **Custom** screen will open. In the **Basics** page:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 1. Next to **Description**, enter a description
- 1. Select **Next**
-1. In **Configuration settings** page:
- 1. Next to **OMA-URI Settings**, select **Add**
- 1. In the **Add Row** window that opens:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 1. Next to **Description**, enter a description
- 1. Next to **OMA-URI**, enter in:
- **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
- 1. Next to **Data type**, select **Integer**
- 1. Next to **Value**, enter in **1**
- 1. Select **Save** to close the **Add Row** window
- 1. Select **Next**
-1. In the **Assignments** page:
- 1. Under **Included groups**, select **Add groups**
- > [!NOTE]
- > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
- 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
- 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Applicability Rules**, configure if necessary and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index 0bb7c66820..f526600bd4 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,19 +1,7 @@
items:
-- name: Overview
+- name: PDE overview
href: index.md
-- name: Configure PDE with Intune
- href: configure-pde-in-intune.md
-- name: Enable Personal Data Encryption (PDE)
- href: intune-enable-pde.md
-- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
- href: intune-disable-arso.md
-- name: Disable kernel-mode crash dumps and live dumps for PDE
- href: intune-disable-memory-dumps.md
-- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
- href: intune-disable-wer.md
-- name: Disable hibernation for PDE
- href: intune-disable-hibernation.md
-- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
- href: intune-disable-password-connected-standby.md
+- name: Configure PDE
+ href: configure.md
- name: PDE frequently asked questions (FAQ)
- href: faq-pde.yml
\ No newline at end of file
+ href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
index ece353e83c..e6bba9c9db 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
index cba1170eaa..a61bf25eec 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@@ -6,6 +6,7 @@ ms.date: 11/09/2022
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: best-practice
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
index f5c4d18144..11638e864b 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
index 7ccafddaa2..5751151190 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
index 08c06d4796..a2cad4e58d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/07/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 874e99e9c0..49aee564d3 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/08/2021
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
index 83418c0d85..af1b573655 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
ms.collection:
- highpri
- tier3
+ - must-keep
ms.topic: conceptual
ms.date: 09/08/2021
---
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index b7d2de8f44..c0f93ba219 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 08/01/2023
+ms.date: 08/17/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -50,6 +50,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
+| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is is no longer being developed. | September, 2019 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
PSR was removed in Windows 11.| 1909 |
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 90928f5742..2bab9205d6 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -152,7 +152,7 @@ For more information on the security features you can configure, manage, and enf
- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
- You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+ You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.