diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 25701bb0a1..04839ec4dd 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -9982,7 +9982,47 @@
},
{
"source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
- "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
+ "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/application-security/index.md",
+ "redirect_url": "/windows/security/book/application-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/hardware-security/index.md",
+ "redirect_url": "/windows/security/book/hardware-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/cloud-services/index.md",
+ "redirect_url": "/windows/security/book/cloud-services",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/index.md",
+ "redirect_url": "/windows/security/book/identity-protection",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/operating-system-security/index.md",
+ "redirect_url": "/windows/security/book/operating-system-security",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/security-foundations/index.md",
+ "redirect_url": "/windows/security/book/security-foundation",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/introduction.md",
+ "redirect_url": "/windows/security/book",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
+ "redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
}
]
diff --git a/README.md b/README.md
index 98c771d56d..97874f3f91 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ Anyone who is interested can contribute to the topics. When you contribute, your
### Quickly update an article using GitHub.com
-Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute.
+Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://learn-video.azurefd.net/vod/player?id=b5167c5a-9c69-499b-99ac-e5467882bc92) also covers how to contribute.
1. Make sure you're signed in to GitHub.com with your GitHub account.
2. Browse to the page you want to edit on Microsoft Learn.
diff --git a/education/index.yml b/education/index.yml
index 1da8d77fdb..d70de3747c 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
- ms.date: 07/22/2024
+ ms.date: 12/05/2024
productDirectory:
title: For IT admins
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 54bf350d77..4f9ce1a8ed 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
---
-title: Configure federation between Google Workspace and Microsoft Entra ID
+title: Configure Federation Between Google Workspace And Microsoft Entra Id
description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
---
@@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
-1. On the **Service provider detail's** page
+1. On the **Service provider detail's** page:
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
+ - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
If using Google autoprovisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
1. The user is redirected to Google Workspace to sign in
1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
+ :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index 889b10b393..bdd5d2761c 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -1,7 +1,7 @@
---
-title: Configure Stickers for Windows 11 SE
+title: Configure Stickers For Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ Windows 11 SE
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
index b0d6efa639..727c1a26bd 100644
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@@ -1,7 +1,7 @@
---
-title: Configure education themes for Windows 11
+title: Configure Education Themes For Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ Windows 11
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index d5a0cb61fa..8d3050097f 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
---
-title: Get and deploy Minecraft Education
+title: Deploy Minecraft Education To Windows Devices
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/5/2024
ms.collection:
- education
- tier2
@@ -48,7 +48,7 @@ To purchase direct licenses:
1. Select the quantity of licenses you'd like to purchase and select **Place Order**
1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
-If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+ If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
### Volume licensing
@@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
1. From the left-hand menu in Microsoft Admin Center, select *Users*
1. From the Users list, select the users you want to add or remove for Minecraft Education access
-1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
> [!Note]
- > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+ > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
> [!Note]
> If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
-:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+ :::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
@@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
1. Select **Next**
1. On the *Review + Create* screen, select **Create**
-Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+ Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
-:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+ :::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
-For more information how to deploy Minecraft Education, see:
+ For more information how to deploy Minecraft Education, see:
-- [Windows installation guide][EDU-6]
-- [Chromebook installation guide][EDU-7]
-- [iOS installation guide][EDU-8]
-- [macOS installation guide][EDU-9]
+ - [Windows installation guide][EDU-6]
+ - [Chromebook installation guide][EDU-7]
+ - [iOS installation guide][EDU-8]
+ - [macOS installation guide][EDU-9]
-If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+ If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
-
-[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
-[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
-[EDU-3]: https://www.microsoft.com/education/products/office
-[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
-[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
-[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
-[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
-[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
-[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+
+ [EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+ [EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+ [EDU-3]: https://www.microsoft.com/education/products/office
+ [EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+ [EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+ [EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+ [EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+ [EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+ [EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
-[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
-[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+ [M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+ [M365-2]: /microsoft-365/admin/add-users/about-admin-roles
-[AKA-1]: https://aka.ms/minecraftedusupport
+ [AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/suspcs/provisioning-package.md b/education/windows/suspcs/provisioning-package.md
index 677b9b7b6f..bde1800fa4 100644
--- a/education/windows/suspcs/provisioning-package.md
+++ b/education/windows/suspcs/provisioning-package.md
@@ -1,7 +1,7 @@
---
-title: What's in Set up School PCs provisioning package
+title: What's In Set up School PCs Provisioning Package
description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: reference
appliesto:
- ✅ Windows 11
diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md
index 8c46ac4b93..b43345436f 100644
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@@ -1,7 +1,7 @@
---
title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it.
-ms.date: 02/29/2024
+ms.date: 11/11/2024
ms.topic: how-to
---
@@ -9,11 +9,11 @@ ms.topic: how-to
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
-- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
-- access other applications
-- change system settings, such as display extension, notifications, updates
-- access Cortana
-- access content copied to the clipboard
+- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- Access other applications
+- Change system settings, such as display extension, notifications, updates
+- Access Cortana
+- Access content copied to the clipboard
## How to use Take a Test
@@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
-:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
+ :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
## Create a secure assessment link
@@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
For this option, copy the assessment URL and open the web application Customize your assessment URL, where you can:
-- Paste the link to the assessment URL
-- Select the options you want to allow during the test
-- Generate the link by selecting the button Create link
+- Paste the link to the assessment URL.
+- Select the options you want to allow during the test.
+- Generate the link by selecting the button Create link.
This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
@@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
## Distribute the secure assessment link
-Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
@@ -85,4 +85,4 @@ To take the test, have the students open the link.
Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d).
-To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
\ No newline at end of file
+To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md
index 7f2a9f9207..54cb82322a 100644
--- a/education/windows/tutorial-deploy-apps-winse/considerations.md
+++ b/education/windows/tutorial-deploy-apps-winse/considerations.md
@@ -1,7 +1,7 @@
---
-title: Important considerations before deploying apps with managed installer
+title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
description: Learn about important aspects to consider before deploying apps with managed installer.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md
index 26e022bbbf..e7fdd29782 100644
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@@ -1,7 +1,7 @@
---
-title: Create policies to enable applications
+title: Create Policies To Enable Applications In Windows 11 SE
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
@@ -54,7 +54,7 @@ To create supplemental policies, download and install the [WDAC Policy Wizard][E
The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=1eedb284-5592-43e7-9446-ce178953502d]
### Create a supplemental policy for Win32 apps
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
index 62442e2058..4ab613f7f0 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@@ -1,7 +1,7 @@
---
-title: Applications deployment considerations
+title: Applications Deployment Considerations In Windows 11 SE
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
index 63f6143853..990f4c894b 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
@@ -1,7 +1,7 @@
---
-title: Deploy policies to enable applications
+title: Deploy Policies To Enable Applications In Windows 11 SE
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md
index 1c09685eed..c96283ec0c 100644
--- a/education/windows/tutorial-deploy-apps-winse/index.md
+++ b/education/windows/tutorial-deploy-apps-winse/index.md
@@ -1,7 +1,7 @@
---
-title: Deploy applications to Windows 11 SE with Intune
+title: Deploy Applications To Windows 11 SE With Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
index 38a3ee9d4c..f23a6c4034 100644
--- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
+++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
@@ -1,7 +1,7 @@
---
-title: Troubleshoot app deployment issues in Windows SE
+title: Troubleshoot App Deployment Issues In Windows Se
description: Troubleshoot common issues when deploying apps to Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
index 211638de72..4cfa11748b 100644
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@@ -1,7 +1,7 @@
---
-title: Validate the applications deployed to Windows SE devices
+title: Validate The Applications Deployed To Windows Se Devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
diff --git a/includes/iot/supported-os-enterprise-plus.md b/includes/iot/supported-os-enterprise-plus.md
new file mode 100644
index 0000000000..b6c086d649
--- /dev/null
+++ b/includes/iot/supported-os-enterprise-plus.md
@@ -0,0 +1,8 @@
+---
+author: TerryWarwick
+ms.author: twarwick
+ms-topic: include
+ms.date: 09/30/2024
+---
+
+**Supported Editions** ✅ IoT Enterprise LTSC✅ IoT Enterprise✅ Enterprise LTSC✅ Enterprise✅ Education
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index 9810ebe8bf..19e8e7499f 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,11 +1,11 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/06/2024
ms.topic: include
---
-| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@@ -32,7 +32,7 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 022cbf278b..0ba2e7193a 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -5,7 +5,7 @@ ms.date: 11/02/2023
ms.topic: include
---
-|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
index a0a28f91ae..ec20778da6 100644
--- a/windows/client-management/declared-configuration.md
+++ b/windows/client-management/declared-configuration.md
@@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
- If the Document ID doesn't match between the `` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
- `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
+ `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
- Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
@@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
There's also another warning message in operational channel:
- `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
\ No newline at end of file
+ `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`
diff --git a/windows/client-management/images/8908044-recall-search.png b/windows/client-management/images/8908044-recall-search.png
new file mode 100644
index 0000000000..16ec5fda8b
Binary files /dev/null and b/windows/client-management/images/8908044-recall-search.png differ
diff --git a/windows/client-management/images/8908044-recall.png b/windows/client-management/images/8908044-recall.png
deleted file mode 100644
index 92c93c46cb..0000000000
Binary files a/windows/client-management/images/8908044-recall.png and /dev/null differ
diff --git a/windows/client-management/images/9598546-copilot-key-settings.png b/windows/client-management/images/9598546-copilot-key-settings.png
new file mode 100644
index 0000000000..e4c6e3ed8d
Binary files /dev/null and b/windows/client-management/images/9598546-copilot-key-settings.png differ
diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md
index 82a405289c..f8a052962b 100644
--- a/windows/client-management/manage-recall.md
+++ b/windows/client-management/manage-recall.md
@@ -1,9 +1,9 @@
---
title: Manage Recall for Windows clients
-description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
+description: Learn how to manage Recall for commercial environments and about Recall features.
ms.topic: how-to
ms.subservice: windows-copilot
-ms.date: 06/13/2024
+ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
@@ -18,72 +18,161 @@ appliesto:
>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
-Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
+
+This article provides information about Recall and how to manage it in a commercial environment.
> [!NOTE]
-> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
+> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
+> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined.
+> - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
-When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+## What is Recall?
-:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
+Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+
+When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+
+:::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
+
+### Recall security and privacy architecture
+
+Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
+
+Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
+
+When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
+
+In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
+
+Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
+
+- **Search the web**: Sends the selected content to the default search engine of the default browser
+- **Open website**: Opens the selected website in the default browser
+- **Visual search with Bing**: Sends the selected content to Bing visual search using the default browser.
+
+When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location:
+
+- `C:\Users\[username]\AppData\Local\Temp`
+
+Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
## System requirements
-Recall has the following minimum system requirements:
-- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
+Recall has the following minimum requirements:
+
+- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
- To enable Recall, you need at least 50 GB of space free
- - Snapshot capture automatically pauses once the device has less than 25 GB of disk space
+ - Saving snapshots automatically pauses once the device has less than 25 GB of storage space
+- Users need to enable Device Encryption or BitLocker
+- Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
## Supported browsers
-Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
+Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
-- **Microsoft Edge**: blocks websites and filters private browsing activity
-- **Firefox**: blocks websites and filters private browsing activity
-- **Opera**: blocks websites and filters private browsing activity
-- **Google Chrome**: blocks websites and filters private browsing activity
-- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
+- **Microsoft Edge**: filters specified websites and filters private browsing activity
+- **Firefox**: filters specified websites and filters private browsing activity
+- **Opera**: filtered specified websites and filters private browsing activity
+- **Google Chrome**: filters specified websites and filters private browsing activity
+- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
## Configure policies for Recall
-Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
+By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
+
+- [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
+- [Storage policies](#storage-policies)
+- [App and website filtering policies](#app-and-website-filtering-policies)
+
+
+### Allow Recall and snapshots policies
+
+The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
| | Setting |
|---|---|
-| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
-| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
-
-## Limitations
-
-In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
-
-## User controlled settings for Recall
-
-The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
-
-- Website filtering
-- App filtering
-- Storage allocation
- - When the storage limit is reached, the oldest snapshots are deleted first.
-- Deleting snapshots
- - Delete all snapshots
- - Delete snapshots within a specific time frame
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
-### Storage allocation
+The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
-The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
-
-| Device storage capacity | Storage allocation options for Recall |
+| | Setting |
|---|---|
-| 256 GB | 25 GB (default), 10 GB |
-| 512 GB | 75 GB (default), 50 GB, 25 GB |
-| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
+### Storage policies
+
+You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
+
+You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
+
+
+### App and website filtering policies
+
+You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
+
+To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+> [!NOTE]
+> - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers).
+> - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
+> - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
+> - Changes to this policy take effect after device restart.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
+
+
+**Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!Note]
+> - Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
+> - Changes to this policy take effect after device restart.
+
+| | Setting |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
+
+
+#### Remote desktop connection clients filtered from snapshots
+
+Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:
+
+ - [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
+ - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect)
+ - [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+ - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows)
+ - [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
+ - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
+ - [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+
+
+
+
+## Information for developers
+
+If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Microsoft's commitment to responsible AI
@@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
-## Information for developers
-
-If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
+## Related links
+- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
+- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
+- [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
+- [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
+- [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
+- [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index d2904f504a..fdb5c9671f 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -1,9 +1,9 @@
---
-title: Updated Windows and Microsoft Copilot experience
+title: Updated Windows and Microsoft 365 Copilot Chat experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
-ms.date: 09/18/2024
+ms.date: 01/22/2025
ms.author: mstewart
author: mestew
ms.collection:
@@ -13,62 +13,62 @@ appliesto:
- ✅ Windows 11, version 22H2 or later
---
-# Updated Windows and Microsoft Copilot experience
+# Updated Windows and Microsoft 365 Copilot Chat experience
->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
+>**Looking for consumer information?** See [Welcome to Copilot on Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
## Enhanced data protection with enterprise data protection
-The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq).
+The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq).
> [!IMPORTANT]
> To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not.
## Copilot in Windows (preview) isn't enabled
-If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
+If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
> [!NOTE]
> Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning.
## Copilot in Windows (preview) is enabled
-If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
+If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
-If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
+If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
## Users signing in to new PCs with Microsoft Entra accounts
For users signing in to new PCs with work or school accounts, the following experience occurs:
-- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
-- Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app.
-- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
- - Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- - Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot.
-- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
-- If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
-- If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from unless that URL is blocked by the IT admin.
-- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access.
+- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
+- Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app.
+- Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button.
+ - Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
+ - Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
+ - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot.
+- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
+- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams.
+- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from unless that URL is blocked by the IT admin.
+- If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access.
## When will this happen?
-The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
-
-The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
-
-> [!IMPORTANT]
-> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.
+The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
+The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
+
+The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
+
+Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
-## Policy information
+## Policy information for previous Copilot in Windows (preview) experience
-Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center.
+Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center.
-The following policy to manage Copilot in Windows (preview) will be removed in the future:
+The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy:
| | Setting |
@@ -76,3 +76,83 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
+## Remove or prevent installation of the Copilot app
+
+You can remove or uninstall the Copilot app from your device by using one of the following methods:
+
+1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
+
+1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
+ 1. Prevent installation of the Copilot app:
+ - Configure [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows update. AppLocker helps you control which apps and files users can run. Note: AppLocker policy should be used instead of the [Turn Off Windows Copilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) legacy policy setting and its MDM equivalent, [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot). The policy is subject to near-term deprecation.
+ - The Applocker policy can be configured by following one of the methods listed in [Edit an AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy) and adding the below text to the policy:
+ **Publisher**: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
+ **Package name**: MICROSOFT.COPILOT
+ **Package version**: * (and above)
+
+ 1. Remove the Copilot app using PowerShell script:
+ 1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results.
+ 1. Once the PowerShell window is open, enter the following commands:
+ ```powershell
+ # Get the package full name of the Copilot app
+ $packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName
+ # Remove the Copilot app
+ Remove-AppxPackage -Package $packageFullName
+ ```
+
+
+## Implications for the Copilot hardware key
+
+The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft).
+
+For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page.
+
+The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app.
+
+To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app.
+
+Use the table below to help determine the experience for your managed organization:
+
+| Configuration | Copilot experience | Copilot key invokes |
+| ---| --- | --- |
+| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search |
+| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app |
+| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). |
+| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. |
+
+
+## Policies to manage the Copilot key
+
+Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md).
+
+To configure the Copilot key, use the following policy:
+
+| | Setting |
+|---|---|
+| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetCopilotHardwareKey](mdm/policy-csp-windowsai.md#setcopilothardwarekey) |
+| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** |
+
+
+## End user settings for the Copilot key
+
+If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs:
+
+`ms-settings:personalization-textinput-copilot-hardwarekey`
+
+:::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png":::
+
+
+
+If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
+
+To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store.
+
+Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements.
+
+
+## Copilot installation with Windows updates and controls
+
+If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will:
+
+- Prevent the app from being installed if it isn't already on the device.
+- Block the app from being launched if it's already installed.
\ No newline at end of file
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index e32ee78e33..2774e66244 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -54,7 +54,7 @@ Available naming macros:
Supported operation is Add.
> [!Note]
-> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+> For desktop PCs on supported versions of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
**Users**
Interior node for the user account information.
@@ -62,12 +62,26 @@ Interior node for the user account information.
**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
+> [!IMPORTANT]
+> The username is limited to 20 characters.
+
**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation isn't supported. This setting will report as failed when deployed from Intune.
+> [!IMPORTANT]
+> This string needs to meet the current password policy requirements.
+>
+> Escape any special characters in the string. For example,
+>
+> | Character | Escape sequence |
+> |:---|:---|
+> | `<` | `<` |
+> | `>` | `>` |
+> | `&` | `&` |
+
**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index cc69b6bb5a..279c109882 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,7 +1,7 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
-ms.date: 04/10/2024
+ms.date: 11/26/2024
---
@@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
-Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
+Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 9841e9f442..ac0fd65b21 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
---
@@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
-| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
-| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
-| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
+| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 2055d5bdf0..1e199886e7 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
---
@@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D
0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+ Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment4
- Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
+ Current Channel (Staged): Same as Current Channel (Broad).5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index ef825d0541..a348f66fcb 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,7 +1,7 @@
---
title: DevDetail CSP
description: Learn more about the DevDetail CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
-Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 10c971f332..79e8b34817 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,7 +1,7 @@
---
title: DMClient CSP
description: Learn more about the DMClient CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
@@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
@@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
@@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 6357958bf3..fc8a278aae 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
---
@@ -6951,7 +6951,7 @@ Interior node for all managed app setting values.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
@@ -8193,7 +8193,7 @@ This node is only supported in the user context.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
@@ -9495,7 +9495,7 @@ This node is only supported in the user context.
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index 2a4648393a..1efd2767f5 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -1,25 +1,31 @@
---
-title: PDE CSP
-description: Learn more about the PDE CSP.
-ms.date: 01/18/2024
+title: Personal Data Encryption CSP
+description: Learn more about the Personal Data Encryption CSP.
+ms.date: 11/27/2024
---
-# PDE CSP
+# Personal Data Encryption CSP
-The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
-The following list shows the PDE configuration service provider nodes:
+The following list shows the Personal Data Encryption configuration service provider nodes:
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
+ - [ProtectFolders](#protectfolders)
+ - [ProtectDesktop](#protectfoldersprotectdesktop)
+ - [ProtectDocuments](#protectfoldersprotectdocuments)
+ - [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status)
+ - [FolderProtectionStatus](#statusfolderprotectionstatus)
+ - [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
@@ -45,7 +51,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
-The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
@@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
+
+## ProtectFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectDesktop
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectDocuments
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
+
+### ProtectFolders/ProtectPictures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
+```
+
+
+
+
+Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` Dependency Allowed Value: `1` Dependency Allowed Value Type: `ENUM` |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+
+
+
+
+
+
+
+
## Status
@@ -93,10 +284,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
-Reports the current status of Personal Data Encryption (PDE) for the user.
+Reports the current status of Personal Data Encryption for the user.
-- If prerequisites of PDE aren't met, then the status will be 0.
-- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
+- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
@@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
+
+### Status/FolderProtectionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
+```
+
+
+
+
+This node reports folder protection status for a user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Protection not started. |
+| 1 | Protection is completed with no failures. |
+| 2 | Protection in progress. |
+| 3 | Protection failed. |
+
+
+
+
+
+
+
+
+
+### Status/FoldersProtected
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ❌ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+
+
+
+```User
+./User/Vendor/MSFT/PDE/Status/FoldersProtected
+```
+
+
+
+
+This node reports all folders (full path to each folder) that have been protected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
### Status/PersonalDataEncryptionStatus
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index 165f97507c..e59ad7a14f 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -1,14 +1,14 @@
---
-title: PDE DDF file
-description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
-ms.date: 06/28/2024
+title: Personal Data Encryption DDF file
+description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
+ms.date: 11/26/2024
---
-# PDE DDF file
+# Personal Data Encryption DDF file
-The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
+The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
```xml
@@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P
+
+ ProtectFolders
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
+ ProtectDocuments
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+
+ ProtectDesktop
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+
+ ProtectPictures
+
+
+
+
+
+
+
+ Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.
+
+
+ 1
+ Enable PDE on the folder.
+
+
+
+
+
+ User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
+
+
+ 1
+ Requires EnablePersonalDataEncryption to be set to 1.
+
+
+
+
+
+
+
+ Status
@@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P
+
+ FolderProtectionStatus
+
+
+
+
+ This node reports folder protection status for a user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
+ 0
+ Protection not started.
+
+
+ 1
+ Protection is completed with no failures.
+
+
+ 2
+ Protection in progress.
+
+
+ 3
+ Protection failed.
+
+
+
+
+
+ FoldersProtected
+
+
+
+
+ This node reports all folders (full path to each folder) that have been protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.26100
+ 1.0
+
+
+
@@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P
## Related articles
-[PDE configuration service provider reference](personaldataencryption-csp.md)
+[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index ea1f4f9b24..057bf0381f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Policies supported by Windows 10 Team
description: Learn about the policies supported by Windows 10 Team.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
---
@@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
## Start
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
- [StartLayout](policy-csp-start.md#startlayout)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## System
diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md
index 57e70841a5..0e4249d643 100644
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
---
@@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Display
- [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
+- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
## DMClient CSP
@@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
+## NewsAndInterests
+
+- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
+
## PassportForWork CSP
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
@@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
+## Start
+
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
+
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
@@ -137,9 +147,14 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
-- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
+- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
+- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
+- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
+- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
+- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
+- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
## WindowsLicensing CSP
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index 00b4cf5513..c31407acd6 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -1,7 +1,7 @@
---
title: ADMX_Bits Policy CSP
description: Learn more about the ADMX_Bits Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
-You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
+You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
- If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
@@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
-You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
+You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
- If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index b819fe73bf..db99a6aa70 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -1,7 +1,7 @@
---
title: ADMX_ControlPanel Policy CSP
description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
-To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
-To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index fa0478440b..3afb3d8385 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
-If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
+If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
index fd3f6d2bcd..a1d1ae6ea2 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@@ -1,7 +1,7 @@
---
title: ADMX_DiskDiagnostic Policy CSP
description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -32,7 +32,7 @@ ms.date: 08/06/2024
-This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
+This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
@@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
-This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
+This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
-Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
+Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
-- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
+- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
-- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
+- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
-- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
+- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index dc1ec2aa56..38077183bb 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
-By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index e9a61f1c6b..ab3f86952a 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -1,7 +1,7 @@
---
title: ADMX_Explorer Policy CSP
description: Learn more about the ADMX_Explorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -120,7 +120,7 @@ This policy setting configures File Explorer to always display the menu bar.
| Name | Value |
|:--|:--|
| Name | AlwaysShowClassicMenu |
-| Friendly Name | Display the menu bar in File Explorer |
+| Friendly Name | Display the menu bar in File Explorer |
| Location | User Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
index f62f39edaf..d75b0ff1aa 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@@ -1,7 +1,7 @@
---
title: ADMX_FileRevocation Policy CSP
description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with
Example value:
-Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
+`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 1b08f87864..7e30bbd527 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged
These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
-If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
+If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index 6dc909c654..80d999ad7a 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -1,7 +1,7 @@
---
title: ADMX_Globalization Policy CSP
description: Learn more about the ADMX_Globalization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
-This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
@@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 2664598272..4eee3e095e 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
-This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
+This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
- If you enable this setting, archive files will be scanned to the directory depth level specified.
@@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in
-This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
- If you enable this setting, archive files less than or equal to the size specified will be scanned.
@@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index f7467145fb..1c2b4f1df2 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -1,7 +1,7 @@
---
title: ADMX_OfflineFiles Policy CSP
description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
@@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index 01ba02840f..32edc6861a 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -1,7 +1,7 @@
---
title: ADMX_UserExperienceVirtualization Policy CSP
description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor
- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
-If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
+If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index f6d72112f3..2283c9803a 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -1,7 +1,7 @@
---
title: ADMX_UserProfiles Policy CSP
description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
---
@@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
-By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
+By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
- If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 9100a4bbb3..edcd5eab3e 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu.
-This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
+This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 885f96e31a..64cecc6c0c 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
Manages a Windows app's ability to share data between users who have installed the app.
-- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
+- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
@@ -629,7 +629,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre-
| Name | Value |
|:--|:--|
| Name | DisableStoreApps |
-| Friendly Name | Disable all apps from Microsoft Store |
+| Friendly Name | Disable all apps from Microsoft Store |
| Location | Computer Configuration |
| Path | Windows Components > Store |
| Registry Key Name | Software\Policies\Microsoft\WindowsStore |
@@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
Denies access to the retail catalog in the Microsoft Store, but displays the private store.
-- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
+- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 63caf16da0..c6597902db 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,7 +1,7 @@
---
title: AttachmentManager Policy CSP
description: Learn more about the AttachmentManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
---
@@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 01dbd07987..40fec4ce18 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -1,7 +1,7 @@
---
title: BITS Policy CSP
description: Learn more about the BITS Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
---
@@ -32,7 +32,7 @@ ms.date: 01/18/2024
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 863938353d..62f0079893 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 2eef54311e..fc264fa2a8 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -30,7 +30,7 @@ ms.date: 09/27/2024
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 01753099d8..52da6d75c4 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,7 +1,7 @@
---
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
---
@@ -32,7 +32,7 @@ ms.date: 11/05/2024
-This policy set the default display to set the arrangement between cloning or extending.
+This policy sets the default display arrangement to pick between clone or extend.
@@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex
|:--|:--|
| Name | ConfigureMultipleDisplayMode |
| Path | Display > AT > System > DisplayCat |
-| Element Name | ConfigureMultipleDisplayModePrompt |
+| Element Name | DisplayConfigureMultipleDisplayModeSettings |
@@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
+
+## SetClonePreferredResolutionSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
+```
+
+
+
+
+This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Default. |
+| 1 (Default) | Internal. |
+| 2 | External. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetClonePreferredResolutionSource |
+| Path | Display > AT > System > DisplayCat |
+| Element Name | DisplaySetClonePreferredResolutionSourceSettings |
+
+
+
+
+
+
+
+
## TurnOffGdiDPIScalingForApps
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index bfcf5c6f27..5cb73b8c77 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file-
-This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
+This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
-- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
-- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
+- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
@@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
2. "hostname". For example, if you want to include https://example, use "example".
3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -13373,7 +13373,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
| Name | Value |
|:--|:--|
| Name | VerMgmtDisableRunThisTime |
-| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
+| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext |
@@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@@ -16472,7 +16472,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy.
| Name | Value |
|:--|:--|
| Name | Security_HKLM_only |
-| Friendly Name | Security Zones: Use only machine settings |
+| Friendly Name | Security Zones: Use only machine settings |
| Location | Computer Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
@@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index bdd4e1fcd0..3c37204919 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -9,7 +9,7 @@ ms.date: 11/05/2024
# Policy CSP - LocalPoliciesSecurityOptions
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+[!INCLUDE [Windows Windows Insider Preview tip](includes/mdm-insider-csp-note.md)]
@@ -517,7 +517,7 @@ Audit: Shut down system immediately if unable to log security audits This securi
-Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
+Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
@@ -1117,7 +1117,7 @@ Domain member: Require strong (Windows 2000 or later) session key This security
-Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
+Interactive Logon: Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
@@ -1556,7 +1556,7 @@ Interactive logon: Message title for users attempting to log on This security se
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -1568,6 +1568,9 @@ Interactive logon: Message title for users attempting to log on This security se
Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
+
+> [!NOTE]
+> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release.
@@ -1780,7 +1783,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated.
-- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
+- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
@@ -2021,7 +2024,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only.
> [!IMPORTANT]
-> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
+> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index d2ccb8d7eb..c2b7e4d9b0 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
---
@@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
-By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
+By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 16fabdc822..df2f909bd6 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -1,7 +1,7 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
---
@@ -9,6 +9,8 @@ ms.date: 01/18/2024
# Policy CSP - NewsAndInterests
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
+
+## DisableWidgetsOnLockScreen
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
+```
+
+
+
+
+Disable widgets on lock screen.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enabled. |
+| 1 | Disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWidgetsOnLockScreen |
+| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index a3d59bef8b..898fb3e01b 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/26/2024
---
@@ -197,7 +197,7 @@ This policy applies only when using legacy authentication to authenticate to the
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
-| Friendly Name | Disconnect remote session on lock for legacy authentication |
+| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 1def7d700f..53395cdd0b 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,7 +1,7 @@
---
title: RemoteProcedureCall Policy CSP
description: Learn more about the RemoteProcedureCall Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
---
@@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
-- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
> [!NOTE]
> This policy won't be applied until the system is rebooted.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 418199d466..bd79220cf2 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,7 +1,7 @@
---
title: Start Policy CSP
description: Learn more about the Start Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/27/2024
---
@@ -9,6 +9,8 @@ ms.date: 08/06/2024
# Policy CSP - Start
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
+
+## AlwaysShowNotificationIcon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Auto-hide notification bell icon. |
+| 1 | Show notification bell icon. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysShowNotificationIcon |
+| Path | Taskbar > AT > StartMenu |
+
+
+
+
+
+
+
+
## ConfigureStartPins
@@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St
+
+## TurnOffAbbreviatedDateTimeFormat
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Show abbreviated time and date format. |
+| 1 | Show classic time and date format. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffAbbreviatedDateTimeFormat |
+| Path | Taskbar > AT > StartMenu |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md
index dbcd21af22..796c69e84b 100644
--- a/windows/client-management/mdm/policy-csp-sudo.md
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
---
@@ -19,7 +19,7 @@ ms.date: 09/27/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index a77f87712f..19a069926b 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
---
@@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -2601,7 +2601,7 @@ This policy will override the following policies:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
@@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi
- the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 96d9296b8a..08d092b065 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
-- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
+- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 72d541101b..8633998eec 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 12/09/2024
---
@@ -15,28 +15,103 @@ ms.date: 11/05/2024
+
+## AllowRecallEnablement
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
+```
+
+
+
+
+This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
+
+- If this policy isn't configured, end users will have the Recall component in a disabled state.
+
+- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
+
+- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Recall isn't available. |
+| 1 (Default) | Recall is available. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowRecallEnablement |
+| Friendly Name | Allow Recall to be enabled |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | AllowRecallEnablement |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
## DisableAIDataAnalysis
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
+```
-This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
+This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
-- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
+- If the policy isn't configured, snapshots won't be saved for use with Recall.
-- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
+- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
+
+If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
@@ -68,8 +143,8 @@ This policy setting allows you to control whether Windows saves snapshots of the
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
-| Friendly Name | Turn off Saving Snapshots for Windows |
-| Location | User Configuration |
+| Friendly Name | Turn off saving snapshots for use with Recall |
+| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
@@ -144,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
+
+## DisableGenerativeFill
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
+```
+
+
+
+
+This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
+
+- If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
+
+- If this policy is disabled or not configured, users will be able to access generative fill functionality.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Generative fill is enabled. |
+| 1 | Generative fill is disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableGenerativeFill |
+| Path | WindowsAI > AT > WindowsComponents > Paint |
+
+
+
+
+
+
+
+
## DisableImageCreator
@@ -212,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
@@ -222,7 +359,7 @@ This policy setting allows you to control whether Image Creator functionality is
-
+
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
@@ -249,7 +386,11 @@ This policy setting determines which app opens when the user presses the Copilot
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
-| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
+| Friendly Name | Set Copilot Hardware Key |
+| Location | User Configuration |
+| Path | Windows Components > Windows Copilot |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
+| ADMX File Name | WindowsCopilot.admx |
@@ -258,6 +399,294 @@ This policy setting determines which app opens when the user presses the Copilot
+
+## SetDenyAppListForRecall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+
+
+
+
+This policy allows you to define a list of apps that won't be included in snapshots for Recall.
+
+Users will be able to add additional applications to exclude from snapshots using Recall settings.
+
+The list can include Application User Model IDs (AUMID) or name of the executable file.
+
+Use a semicolon-separated list of apps to define the deny app list for Recall.
+
+For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!IMPORTANT]
+> When configuring this policy setting, changes won't take effect until the device restarts.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyAppListForRecall |
+| Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyAppListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetDenyUriListForRecall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+
+
+
+
+This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
+
+For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
+
+> [!IMPORTANT]
+> Changes to this policy take effect after device restart.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyUriListForRecall |
+| Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyUriListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetMaximumStorageDurationForRecallSnapshots
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+
+
+
+
+This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
+
+When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
+
+When this policy isn't configured, a time frame isn't set for deleting snapshots.
+
+Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
+| 30 | 30 days. |
+| 60 | 60 days. |
+| 90 | 90 days. |
+| 180 | 180 days. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageDurationForRecallSnapshots |
+| Friendly Name | Set maximum duration for storing snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
+
+## SetMaximumStorageSpaceForRecallSnapshots
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+
+
+
+
+This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
+
+You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
+
+When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
+
+25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
+| 10000 | 10GB. |
+| 25000 | 25GB. |
+| 50000 | 50GB. |
+| 75000 | 75GB. |
+| 100000 | 100GB. |
+| 150000 | 150GB. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageSpaceForRecallSnapshots |
+| Friendly Name | Set maximum storage for snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+
+
+
+
+
+
+
+
## TurnOffWindowsCopilot
@@ -289,6 +718,7 @@ This policy setting allows you to turn off Windows Copilot.
> [!NOTE]
> - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/blog/windows-itpro-blog/evolving-copilot-in-windows-for-your-workforce/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices.
+> - This policy also applies to upgrade scenarios to prevent installation of the Copilot app from an image that would have had the Copilot in Windows pane.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index c7a7fe256c..64a1352741 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
---
@@ -349,7 +349,7 @@ This policy setting allows you to control whether users see the first sign-in an
| Name | Value |
|:--|:--|
| Name | EnableFirstLogonAnimation |
-| Friendly Name | Show first sign-in animation |
+| Friendly Name | Show first sign-in animation |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index a22172669f..3c26ac2f1a 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -1,7 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
---
@@ -19,7 +19,7 @@ ms.date: 09/27/2024
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later ✅ Windows 10, version 20H2 [10.0.19042.4950] and later ✅ Windows 10, version 21H1 [10.0.19043.4950] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
@@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` Dependency Allowed Value: `[1]` Dependency Allowed Value Type: `Range` |
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
**Group policy mapping**:
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 3793140f08..687edec2d2 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,7 +1,7 @@
---
title: SUPL CSP
description: Learn more about the SUPL CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
---
@@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
-Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 3011ad91da..4b5c7ff09c 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -837,10 +837,10 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- - name: PDE
+ - name: Personal Data Encryption
href: personaldataencryption-csp.md
items:
- - name: PDE DDF file
+ - name: Personal Data Encryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization
href: personalization-csp.md
diff --git a/windows/client-management/recall-sensitive-information-filtering.md b/windows/client-management/recall-sensitive-information-filtering.md
new file mode 100644
index 0000000000..e6d8c32969
--- /dev/null
+++ b/windows/client-management/recall-sensitive-information-filtering.md
@@ -0,0 +1,190 @@
+---
+title: Sensitive information filtering in Recall
+description: Learn about the types of potentially sensitive information Recall detects.
+ms.topic: reference
+ms.subservice: windows-copilot
+ms.date: 11/22/2024
+ms.author: mstewart
+author: mestew
+ms.collection:
+ - windows-copilot
+ - magic-ai-copilot
+appliesto:
+- ✅ Copilot+ PCs
+---
+
+
+# Reference for sensitive information filtering in Recall
+
+This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
+
+## Types of potentially sensitive information
+
+Types of potentially sensitive information that Recall detects and filters include:
+
+ABA Routing Number
+Argentina National Identity (DNI) Number
+Argentina Unique Tax Identification Key (CUIT/CUIL)
+Australia Bank Account Number
+Australia Drivers License Number
+Australia Tax File Number
+Austria Driver's License Number
+Austria Identity Card
+Austria Social Security Number
+Austria Tax Identification Number
+Austria Value Added Tax
+Azure Document DB Auth Key
+Azure IAAS Database Connection String and Azure SQL Connection String
+Azure IoT Connection String
+Azure Redis Cache Connection String
+Azure SAS
+Azure Secrets (Generic)
+Azure Service Bus Connection String
+Azure Storage Account Key
+Belgium Driver's License Number
+Belgium National Number
+Belgium Value Added Tax Number
+Brazil CPF Number
+Brazil Legal Entity Number (CNPJ)
+Brazil National ID Card (RG)
+Bulgaria Driver's License Number
+Bulgaria Uniform Civil Number
+Canada Bank Account Number
+Canada Driver's License Number
+Canada Social Insurance Number
+Chile Identity Card Number
+China Resident Identity Card (PRC) Number
+Colombia National ID
+Credit Card Number
+Croatia Driver's License Number
+Croatia Identity Card Number
+Croatia Personal Identification (OIB) Number
+Cyprus Driver's License Number
+Cyprus Identity Card
+Cyprus Tax Identification Number
+Czech Driver's License Number
+Czech Personal Identity Number
+DEA Number
+Denmark Driver's License Number
+Denmark Personal Identification Number
+Ecuador Unique Identification Number
+Estonia Driver's License Number
+Estonia Personal Identification Code
+EU Debit Card Number
+EU Driver's License Number
+EU National Id Card
+EU SSN or Equivalent Number
+EU Tax File Number
+Finland Driver's License Number
+Finnish National ID
+France CNI
+France Driver's License Number
+France INSEE
+France Tax Identification Number (numéro SPI.)
+France Value Added Tax Number
+General Password
+German Driver's License Number
+Germany Identity Card Number
+Germany Tax Identification Number
+Germany Value Added Tax Number
+Greece Driver's License Number
+Greece National ID Card
+Greece Social Security Number (AMKA)
+Greek Tax Identification Number
+Hong Kong Identity Card (HKID) number
+Hungarian Social Security Number (TAJ)
+Hungarian Value Added Tax Number
+Hungary Driver's License Number
+Hungary Personal Identification Number
+Hungary Tax Identification Number
+IBAN
+India Driver's License Number
+India GST number
+India Permanent Account Number
+India Unique Identification (Aadhaar) number
+India Voter Id Card
+Indonesia Drivers License Number
+Indonesia Identity Card (KTP) Number
+Ireland Driver's License Number
+Ireland Personal Public Service (PPS) Number
+Israel Bank Account Number
+Israel National ID Number
+Italy Driver's license Number
+Italy Fiscal Code
+Italy Value Added Tax
+Japan Bank Account Number
+Japan Driver's License Number
+Japan Residence Card Number
+Japan Resident Registration Number
+Japan Social Insurance Number
+Japanese My Number – Corporate
+Japanese My Number – Personal
+Latvia Driver's License Number
+Latvia Personal Code
+Lithuania Driver's License Number
+Lithuania Personal Code
+Luxembourg Driver's License Number
+Luxembourg National Identification Number (Natural persons)
+Luxembourg National Identification Number (Non-natural persons)
+Malaysia ID Card Number
+Malta Driver's License Number
+Malta Identity Card Number
+Malta Tax ID Number
+Mexico Unique Population Registry Code (CURP)
+Netherlands Citizen's Service (BSN) Number
+Netherlands Driver's License Number
+Netherlands Tax Identification Number
+Netherlands Value Added Tax Number
+New Zealand Bank Account Number
+New Zealand Driver License Number
+New Zealand Inland Revenue Number
+Newzealand Social Welfare Number
+Norway Identification Number
+Philippines National ID
+Philippines Passport Number
+Philippines Unified Multi-Purpose ID number
+Poland Driver's License Number
+Poland Identity Card
+Poland National ID (PESEL)
+Poland Tax Identification Number
+Polish REGON Number
+Portugal Citizen Card Number
+Portugal Driver's License Number
+Portugal Tax Identification Number
+Qatari ID Card Number
+Romania Driver's License Number
+Romania Personal Numerical Code (CNP)
+Saudi Arabia National ID
+Singapore Driving License Number
+Singapore National Registration Identity Card (NRIC) Number
+Slovakia Driver's License Number
+Slovakia Personal Number
+Slovenia Driver's License Number
+Slovenia Tax Identification Number
+Slovenia Unique Master Citizen Number
+South Africa Identification Number
+South Korea Driver's License Number
+South Korea Resident Registration Number
+Spain DNI
+Spain Driver's License Number
+Spain SSN
+Spain Tax Identification Number
+Sweden Driver's License Number
+Sweden National ID
+Sweden Tax Identification Number
+SWIFT Code
+Swiss SSN AHV Number
+Taiwan Resident Certificate (ARC/TARC)
+Taiwanese National ID
+Thai Citizen ID
+Turkish National Identity
+U.K. Driver's License Number
+U.K. Electoral Number
+U.K. NHS Number
+U.K. NINO
+U.K. Unique Taxpayer Reference Number
+U.S. Bank Account Number
+U.S. Driver's License Number
+U.S. Individual Taxpayer Identification Number (ITIN)
+U.S. Social Security Number
+UAE Identity Card Number
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 4aa913ef53..711bc21aea 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -51,7 +51,9 @@ items:
- name: Updated Windows and Microsoft Copilot experience
href: manage-windows-copilot.md
- name: Manage Recall
- href: manage-recall.md
+ href: manage-recall.md
+ - name: Reference for sensitive information filtering in Recall
+ href: recall-sensitive-information-filtering.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Certificate renewal
diff --git a/windows/configuration/assigned-access/shell-launcher/index.md b/windows/configuration/assigned-access/shell-launcher/index.md
index 4c942afd74..5ffc4c6801 100644
--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ b/windows/configuration/assigned-access/shell-launcher/index.md
@@ -78,7 +78,7 @@ $shellLauncherConfiguration = @"
$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
+$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
if($cimSetError) {
Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
@@ -86,6 +86,7 @@ if($cimSetError) {
$timeout = New-TimeSpan -Seconds 30
$stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
do{
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md
index 8fcf389cf7..860024c72c 100644
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@@ -2,7 +2,7 @@
title: Configure cellular settings
description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
ms.topic: concept-article
-ms.date: 04/23/2024
+ms.date: 12/05/2024
---
# Configure cellular settings
diff --git a/windows/configuration/custom-logon/images/customlogoncad.jpg b/windows/configuration/custom-logon/images/customlogoncad.jpg
new file mode 100644
index 0000000000..0f610d3b57
Binary files /dev/null and b/windows/configuration/custom-logon/images/customlogoncad.jpg differ
diff --git a/windows/configuration/custom-logon/index.md b/windows/configuration/custom-logon/index.md
new file mode 100644
index 0000000000..536cdcb8f9
--- /dev/null
+++ b/windows/configuration/custom-logon/index.md
@@ -0,0 +1,133 @@
+---
+title: Custom Logon
+description: Custom Logon
+ms.date: 03/05/2024
+ms.topic: overview
+---
+
+# Custom Logon
+
+You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
+
+Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers).
+
+## Requirements
+
+Custom Logon can be enabled on:
+
+- Windows 10 Enterprise
+- Windows 10 IoT Enterprise
+- Windows 10 Education
+- Windows 11 Enterprise
+- Windows 11 IoT Enterprise
+- Windows 11 Education
+
+## Terminology
+
+**Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line.
+
+**Configure:** To customize the setting or subsettings.
+
+**Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511.
+
+**Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later.
+
+## Turn on Custom Logon
+
+Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied.
+
+The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps:
+
+### Turn on Custom Logon in Control Panel
+
+1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**.
+1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+
+### Turn on Custom Logon using DISM
+
+1. Open a command prompt with administrator rights.
+1. Enable the feature using the following command.
+
+ ```cmd
+ dism /online /enable-feature /featureName:Client-EmbeddedLogon
+ ```
+
+## Configure Custom Logon
+
+### Configure Custom Logon settings using Unattend
+
+You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon.
+
+The following example shows how to disable all Welcome screen UI elements and the **Switch user** button.
+
+```xml
+
+
+ 17
+ 1
+ 1
+ 1
+ 1
+
+
+```
+
+### Remove buttons from Logon screen
+
+To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key:
+
+```text
+HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon
+```
+
+1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon).
+1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window.
+1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**.
+1. In the right pane, right click on **BrandingNeutral** and select **Modify**.
+1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes.
+
+> [!NOTE]
+> Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value.
+
+The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**.
+
+| Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)|
+|--------|------------|----|---|
+| Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1|
+| Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2|
+| Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4|
+| Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8|
+| Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16|
+|Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32|
+
+In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI.
+
+
+
+You can remove the Wireless UI option from the Welcome screen by using Group Policy.
+
+### Remove Wireless UI from Logon screen
+
+You use the following steps to remove Wireless UI from the Welcome screen
+
+1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
+1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**.
+1. Double-tap or click **Do not display network selection UI**.
+
+## Additional Customizations
+
+The following table shows additional customizations that can be made using registry keys.
+
+|Action |Path |Registry Key and Value |
+|---------|---------|---------|
+|Hide Autologon UI |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideAutoLogonUI = 1`|
+|Hide First Logon Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideFirstLogonAnimation = 1` |
+|Disable Authentication Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |`AnimationDisabled = 1` |
+|Disable Lock Screen | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1` |
+
+## Related articles
+
+- [Troubleshooting Custom Logon](troubleshoot.md)
+- [Unbranded Boot](../unbranded-boot/index.md)
+- [Shell Launcher](../shell-launcher/index.md)
diff --git a/windows/configuration/custom-logon/troubleshoot.md b/windows/configuration/custom-logon/troubleshoot.md
new file mode 100644
index 0000000000..abb65828de
--- /dev/null
+++ b/windows/configuration/custom-logon/troubleshoot.md
@@ -0,0 +1,105 @@
+---
+title: Troubleshooting Custom Logon
+description: Troubleshooting Custom Logon
+ms.date: 05/02/2017
+ms.topic: troubleshooting
+---
+
+# Troubleshooting Custom Logon
+
+This section highlights some common issues that you may encounter when using Custom Logon.
+
+## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate
+
+This can occur when your device is configured to require a password when waking up from a sleep state.
+
+### To disable password protection on wake-up
+
+1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes:
+
+ 1. At an administrator command prompt, type the following command:
+
+ ```cmd
+ uwfmgr.exe filter disable
+ ```
+
+ 1. To restart the device, type the following command:
+
+ ```cmd
+ uwfmgr.exe restart
+ ```
+
+1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading.
+
+1. Under the **Power Options** heading, select **Require a password on wake up**.
+
+1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Don't require a password**.
+
+1. If you have disabled write filters, perform the following steps to enable them again:
+
+ 1. At an administrator command prompt, type the following command:
+
+ ```cmd
+ uwfmgr.exe filter enable
+ ```
+
+ 1. To restart the device, type the following command:
+
+ ```cmd
+ uwfmgr.exe restart
+ ```
+
+## The device displays a black screen during setup
+
+Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup.
+
+## The device displays a black screen when Ctrl+Alt+Del is pressed
+
+**HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
+
+## The device displays a black screen when Windows key + L is used to lock the device
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
+
+### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR).
+
+> [!WARNING]
+> When the BSDR screen is disabled, restarting, or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data.
+
+## The device displays a black screen when the device is suspended and then resumed
+
+**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake-up.
+
+### To disable password protection on wake-up
+
+1. In **Control Panel**, select **Power Options**.
+
+1. In the **Power Options** item, select **Require a password on wake up**.
+
+1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Don't require a password**.
+
+### The device displays a black screen when a password expiration screen is displayed
+
+**HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire.
+
+### To set a password to never expire on an individual user account
+
+1. On your device, open a command prompt with administrator privileges.
+
+1. Type the following, replacing *<accountname>* with the name of the account you want to remove the password expiration from.
+
+ ```cmd
+ net accounts /expires:never
+ ```
+
+### To set passwords to never expire on all user accounts
+
+1. On your device, open a command prompt with administrator privileges.
+
+1. Type the following
+
+ ```cmd
+ net accounts /MaxPWAge:unlimited
+ ```
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 32f9c41247..22924a43cc 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -80,12 +80,18 @@
"assigned-access//**/*.yml": "paolomatarazzo",
"cellular//**/*.md": "paolomatarazzo",
"cellular//**/*.yml": "paolomatarazzo",
+ "custom-logon//**/*.md": "terrywarwick",
+ "custom-logon//**/*.yml": "terrywarwick",
+ "keyboard-filter//**/*.md": "terrywarwick",
+ "keyboard-filter//**/*.yml": "terrywarwick",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
+ "shell-launcher//**/*.md": "terrywarwick",
+ "shell-launcher//**/*.yml": "terrywarwick",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
@@ -94,6 +100,10 @@
"taskbar//**/*.yml": "paolomatarazzo",
"tips//**/*.md": "paolomatarazzo",
"tips//**/*.yml": "paolomatarazzo",
+ "unbranded-boot//**/*.md": "terrywarwick",
+ "unbranded-boot//**/*.yml": "terrywarwick",
+ "unified-write-filter//**/*.md": "terrywarwick",
+ "unified-write-filter//**/*.yml": "terrywarwick",
"wcd//**/*.md": "vinaypamnani-msft",
"wcd//**/*.yml": "vinaypamnani-msft"
},
@@ -104,12 +114,18 @@
"assigned-access//**/*.yml": "paoloma",
"cellular//**/*.md": "paoloma",
"cellular//**/*.yml": "paoloma",
+ "custom-logon//**/*.md": "twarwick",
+ "custom-logon//**/*.yml": "twarwick",
"lock-screen//**/*.md": "paoloma",
+ "keyboard-filter//**/*.md": "twarwick",
+ "keyboard-filter//**/*.yml": "twarwick",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
+ "shell-launcher//**/*.md": "twarwick",
+ "shell-launcher//**/*.yml": "twarwick",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",
@@ -118,6 +134,10 @@
"taskbar//**/*.yml": "paoloma",
"tips//**/*.md": "paoloma",
"tips//**/*.yml": "paoloma",
+ "unbranded-boot//**/*.md": "twarwick",
+ "unbranded-boot//**/*.yml": "twarwick",
+ "unified-write-filter//**/*.md": "twarwick",
+ "unified-write-filter//**/*.yml": "twarwick",
"wcd//**/*.md": "vinpa",
"wcd//**/*.yml": "vinpa"
},
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index fa1a297ecf..a1e1606862 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -11,7 +11,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 04/25/2024
+ ms.date: 12/05/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
new file mode 100644
index 0000000000..9a5c32fb35
--- /dev/null
+++ b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
@@ -0,0 +1,74 @@
+---
+title: Disable all blocked key combinations
+description: Disable all blocked key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Disable all blocked key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the WMI providers to disable all blocked key combinations for Keyboard Filter by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. The key combination configurations aren't removed, but Keyboard Filter stops blocking any keys.
+
+## Disable-all-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This Windows PowerShell script shows how to enumerate all existing keyboard filter
+ rules and how to disable them by setting the Enabled property directly.
+.Description
+ For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
+ set the Enabled property to false/0 to disable the filter rule, thus
+ allowing all key sequences through the filter.
+.Parameter ComputerName
+ Optional parameter to specify the remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+
+param(
+ [String]$ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ Write-Host Disabled $_.Id
+ }
+ }
+
+Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ Write-Host Disabled $_.Id
+ }
+ }
+
+Get-WMIObject -class WEKF_Scancode @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ $_.Enabled = 0;
+ $_.Put() | Out-Null;
+ "Disabled {0}+{1:X4}" -f $_.Modifiers,$_.Scancode
+ }
+ }
+```
+
+## Related articles
+
+- [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+- [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/index.md b/windows/configuration/keyboard-filter/index.md
new file mode 100644
index 0000000000..6f7d3cc589
--- /dev/null
+++ b/windows/configuration/keyboard-filter/index.md
@@ -0,0 +1,144 @@
+---
+title: Keyboard Filter
+description: Keyboard Filter
+ms.date: 01/13/2025
+ms.topic: overview
+---
+
+# Keyboard Filter
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, a customer can use certain Microsoft Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to alter the operation of a device by locking the screen or using Task Manager to close a running application. This behavior might not be desirable if your device is intended for a dedicated purpose.
+
+The Keyboard Filter feature works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. Switching from one language to another might cause the location of suppressed keys on the keyboard layout to change. Keyboard Filter detects these dynamic layout changes and continues to suppress keys correctly.
+
+> [!NOTE]
+> Keyboard filter is not supported in a remote desktop session.
+
+## Terminology
+
+- **Turn on, enable:** Make the setting available to the device and optionally apply the settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line
+- **Configure:** To customize the setting or subsettings
+- **Embedded Keyboard Filter:** This feature is called Embedded Keyboard Filter in Windows 10, version 1511
+- **Keyboard Filter:** This feature is called Keyboard Filter in Windows 10, version 1607 and later
+
+## Turn on Keyboard Filter
+
+By default, Keyboard Filter isn't turned on. You can turn Keyboard Filter on or off for your device by using the following steps.
+
+Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the restart.
+
+### Turn on Keyboard Filter by using Control Panel
+
+1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Keyboard Filter**.
+1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+1. Restart your device to apply the changes.
+
+### Configure Keyboard using Unattend
+
+1. You can configure the Unattend settings in the [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice) component to add Keyboard Filter features to your image during the design or imaging phase.
+1. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the keyboard filter settings and XML examples, see the settings in [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice).
+
+### Turn on and configure Keyboard Filter using Windows Configuration Designer
+
+The Keyboard Filter settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image deployment time or runtime. You can set one or all keyboard filter settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime.
+
+1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package), selecting the **Advanced Provisioning** option.
+
+ > [!Note]
+ > In the **Choose which settings to view and configure** window, choose **Common to all Windows desktop editions**.
+
+1. On the **Available customizations** page, select **Runtime settings** > **SMISettings**, and then set the desired values for the keyboard filter settings.
+1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. For more information, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package).
+
+This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package. For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
+
+### Turn on and configure Keyboard Filter by using DISM
+
+1. Open a command prompt with administrator privileges.
+1. Enable the feature using the following command.
+
+ ```cmd
+ Dism /online /Enable-Feature /FeatureName:Client-KeyboardFilter
+ ```
+
+1. Once the script completes, restart the device to apply the change.
+
+## Keyboard Filter features
+
+Keyboard Filter has the following features:
+
+- Supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard (TabTip.exe)
+- Suppresses key combinations even when they come from multiple keyboards
+
+ For example, if a user presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality.
+
+- Supports numeric keypads and keys designed to access media player and browser functionality
+- Can configure a key to breakout of a locked down user session to return to the Welcome screen
+- Automatically handles dynamic layout changes
+- Can be enabled or disabled for administrator accounts
+- Can force disabling of Ease of Access functionality
+- Supports x86 and x64 architectures
+
+## Keyboard scan codes and layouts
+
+When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout. The layout defines the mapping of keys on the physical keyboard, and has many variants. A key on a keyboard always sends the same scan code when pressed, however this scan code can map to different virtual keys for different layouts. For example, in the English (United States) keyboard layout, the key to the right of the P key maps to `{`. However, in the Swedish (Sweden) keyboard layout, the same key maps to `Å`.
+
+Keyboard Filter can block keys either by the scan code or the virtual key. Blocking keys by the scan code is useful for custom keyboards that have special scan codes that don't translate into any single virtual key. Blocking keys by the virtual key is more convenient because it's easier to read and Keyboard Filter suppresses the key correctly even when the location of the key changes because of a layout change.
+
+When you configure Keyboard Filter to block keys by using the virtual key, you must use the English names for the virtual keys. For more information about the names of the virtual keys, see keyboard filter key names.
+
+For the Windows on-screen keyboard, keyboard filter converts each keystroke into a scan code based on the layout, and back into a virtual key. This allows keyboard filter to suppress the on-screen keyboard keys in the same manner as physical keyboard keys if they're configured with either scan code or virtual key.
+
+## Keyboard Filter and ease of access features
+
+By default, ease of access features are enabled and Keyboard Filter is disabled for administrator accounts.
+
+If Sticky Keys are enabled, a user can bypass Keyboard Filter in certain situations. You can configure keyboard filter to disable all ease of access features and prevent users from enabling them.
+
+You can enable ease of access features for administrator accounts, while still disabling them for standard user accounts, by making sure that Keyboard Filter is disabled for administrator accounts.
+
+## Keyboard Filter configuration
+
+You can configure the following options for Keyboard Filter:
+
+- Set/unset predefined key combinations to be suppressed
+- Add/remove custom defined key combinations to be suppressed
+- Enable/disable keyboard filter for administrator accounts
+- Force disabling ease of access features
+- Configure a breakout key sequence to break out of a locked down account
+
+Most configuration changes take effect immediately. Some changes, such as enabling or disabling Keyboard Filter for administrators, don't take effect until the user signs out of the account and then back in. If you change the breakout key scan code, you must restart the device before the change take effect.
+
+You can configure keyboard filter by using Windows Management Instrumentation (WMI) providers. You can use the Keyboard Filter WMI providers directly in a PowerShell script or in an application.
+
+For more information about Keyboard Filter WMI providers, see [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md).
+
+## Keyboard breakout
+
+You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account.
+
+The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect.
+
+## Keyboard Filter considerations
+
+Starting a device in Safe Mode bypasses keyboard filter. The Keyboard Filter service isn't loaded in Safe Mode, and keys aren't blocked in Safe Mode.
+
+Keyboard filter can't block the Sleep key.
+
+Some hardware keys, such as rotation lock, don't have a defined virtual key. You can still block these keys by using the scan code of the key.
+
+The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply.
+
+When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior.
+
+Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search.
+
+## In this section
+
+- [Keyboard Filter key names](keyboardfilter-key-names.md)
+- [Predefined key combinations](predefined-key-combinations.md)
+- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Windows PowerShell script samples for Keyboard Filter](keyboardfilter-powershell-script-samples.md)
\ No newline at end of file
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
new file mode 100644
index 0000000000..129b6e271b
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
@@ -0,0 +1,160 @@
+---
+title: Add blocked key combinations
+description: Add blocked key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Add blocked key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create three functions to configure Keyboard Filter so that Keyboard Filter blocks key combinations. It demonstrates several ways to use each function.
+
+The first function, `Enable-Predefine-Key`, blocks key combinations that are predefined for Keyboard Filter.
+
+The second function, `Enable-Custom-Key`, blocks custom key combinations by using the English key names.
+
+The third function, `Enable-Scancode`, blocks custom key combinations by using the keyboard scan code for the key.
+
+## Enable-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to use the built in WMI providers to enable and add
+ keyboard filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Predefined-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Predefined Key keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+ .Example
+ Enable-Predefined-Key "Ctrl+Alt+Del"
+ Enable CAD filtering
+#>
+
+ $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($predefined) {
+ $predefined.Enabled = 1;
+ $predefined.Put() | Out-Null;
+ Write-Host Enabled $Id
+ } else {
+ Write-Error "$Id is not a valid predefined key"
+ }
+}
+
+
+function Enable-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Custom Key keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+
+ In the case that the Custom instance does not exist, add a new
+ instance of WEKF_CustomKey using Set-WMIInstance.
+ .Example
+ Enable-Custom-Key "Ctrl+V"
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($custom) {
+# Rule exists. Just enable it.
+ $custom.Enabled = 1;
+ $custom.Put() | Out-Null;
+ "Enabled Custom Filter $Id.";
+
+ } else {
+ Set-WMIInstance `
+ -class WEKF_CustomKey `
+ -argument @{Id="$Id"} `
+ @CommonParams | Out-Null
+ "Added Custom Filter $Id.";
+ }
+}
+
+function Enable-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Toggle on a Scancode keyboard filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_Scancode instances,
+ filter against key values of "Modifiers" and "Scancode", and set
+ that instance's "Enabled" property to 1/true.
+
+ In the case that the Scancode instance does not exist, add a new
+ instance of WEKF_Scancode using Set-WMIInstance.
+ .Example
+ Enable-Scancode "Ctrl" 37
+ Enable filtering of the Ctrl + keyboard scancode 37 (base-10)
+ sequence.
+#>
+
+ $scancode =
+ Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {
+ ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
+ }
+
+ if($scancode) {
+ $scancode.Enabled = 1
+ $scancode.Put() | Out-Null
+ "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ } else {
+ Set-WMIInstance `
+ -class WEKF_Scancode `
+ -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
+ @CommonParams | Out-Null
+
+ "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ }
+}
+
+# Some example uses of the functions defined above.
+Enable-Predefined-Key "Ctrl+Alt+Del"
+Enable-Predefined-Key "Ctrl+Esc"
+Enable-Custom-Key "Ctrl+V"
+Enable-Custom-Key "Numpad0"
+Enable-Custom-Key "Shift+Numpad1"
+Enable-Custom-Key "%"
+Enable-Scancode "Ctrl" 37
+```
+
+## Related topics
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
new file mode 100644
index 0000000000..9fe1380150
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
@@ -0,0 +1,179 @@
+---
+title: Keyboard Filter key names
+description: Keyboard Filter key names
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Keyboard Filter key names
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+You can configure Keyboard Filter to block keys or key combinations. A key combination consists of one or more modifier keys, separated by a plus sign (+), and either a key name or a key scan code. In addition to the keys listed in the following tables, you can use the predefined key combinations names as custom key combinations. However, we recommend using the predefined key settings when enabling or disabling predefined key combinations.
+
+The key names are grouped as follows:
+
+- [Modifier keys](#modifier-keys)
+- [System keys](#system-keys)
+- [Cursor and edit keys](#cursor-and-edit-keys)
+- [State keys](#state-keys)
+- [OEM keys](#oem-keys)
+- [Function keys](#function-keys)
+- [Numeric keypad keys](#numeric-keypad-keys)
+
+## Modifier keys
+
+You can use the modifier keys listed in the following table when you configure keyboard filter. Multiple modifiers are separated by a plus sign (+). You can also configure Keyboard Filter to block any modifier key even if it's not part of a key combination.
+
+| Modifier key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Ctrl` | VK_CONTROL | The Ctrl key |
+| `LCtrl` | VK_LCONTROL | The left Ctrl key |
+| `RCtrl` | VK_RCONTROL | The right Ctrl key |
+| `Control` | VK_CONTROL | The Ctrl key |
+| `LControl` | VK_LCONTROL | The left Ctrl key |
+| `RControl` | VK_RCONTROL | The right Ctrl key |
+| `Alt` | VK_MENU | The Alt key |
+| `LAlt` | VK_LMENU | The left Alt key |
+| `RAlt` | VK_RMENU | The right Alt key |
+| `Shift` | VK_SHIFT | The Shift key |
+| `LShift` | VK_LSHIFT | The left Shift key |
+| `RShift` | VK_RSHIFT | The right Shift key |
+| `Win` | VK_WIN | The Windows logo key |
+| `LWin` | VK_LWIN | The left Windows logo key |
+| `RWin` | VK_RWIN | The right Windows logo key |
+| `Windows` | VK_WIN | The Windows logo key |
+| `LWindows` | VK_LWIN | The left Windows logo key |
+| `RWindows` | VK_RWIN | The right Windows key |
+
+## System keys
+
+| Modifier key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Ctrl` | VK_CONTROL | The Ctrl key |
+| `LCtrl` | VK_LCONTROL | The left Ctrl key |
+| `RCtrl` | VK_RCONTROL | The right Ctrl key |
+| `Control` | VK_CONTROL | The Ctrl key |
+| `LControl` | VK_LCONTROL | The left Ctrl key |
+| `RControl` | VK_RCONTROL | The right Ctrl key |
+| `Alt` | VK_MENU | The Alt key |
+| `LAlt` | VK_LMENU | The left Alt key |
+| `RAlt` | VK_RMENU | The right Alt key |
+| `Shift` | VK_SHIFT | The Shift key |
+| `LShift` | VK_LSHIFT | The left Shift key |
+| `RShift` | VK_RSHIFT | The right Shift key |
+| `Win` | VK_WIN | The Windows logo key |
+| `LWin` | VK_LWIN | The left Windows logo key |
+| `RWin` | VK_RWIN | The right Windows logo key |
+| `Windows` | VK_WIN | The Windows logo key |
+| `LWindows` | VK_LWIN | The left Windows logo key |
+| `RWindows` | VK_RWIN | The right Windows logo key |
+
+## Cursor and edit keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `PageUp` | VK_PRIOR | The Page Up key |
+| `Prior` | VK_PRIOR | The Page Up key |
+| `PgUp` | VK_PRIOR | The Page Up key |
+| `PageDown` | VK_NEXT | The Page Down key |
+| `PgDown` | VK_NEXT | The Page Down key |
+| `Next` | VK_NEXT | The Page Down key |
+| `End` | VK_END | The End key |
+| `Home` | VK_HOME | The Home key |
+| `Left` | VK_LEFT | The Left Arrow key |
+| `Up` | VK_UP | The Up Arrow key |
+| `Right` | VK_RIGHT | The Right Arrow key |
+| `Down` | VK_DOWN | The Down Arrow key |
+| `Insert` | VK_INSERT | The Insert key |
+| `Delete` | VK_DELETE | The Delete key |
+| `Del` | VK_DELETE | The Delete key |
+| `Separator` | VK_SEPARATOR | The Separator key |
+
+## State keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `NumLock` | VK_NUMLOCK | The Num Lock key |
+| `ScrollLock` | VK_SCROLL | The Scroll Lock key |
+| `Scroll` | VK_SCROLL | The Scroll Lock key |
+| `CapsLock` | VK_CAPITAL | The Caps Lock key |
+| `Capital` | VK_CAPITAL | The Caps Lock key |
+
+## OEM keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `KeypadEqual` | VK_OEM_NEC_EQUAL | The Equals (=) key on the numeric keypad (OEM-specific) |
+| `Dictionary` | VK_OEM_FJ_JISHO | The Dictionary key (OEM-specific) |
+| `Unregister` | VK_OEM_FJ_MASSHOU | The Unregister Word key (OEM-specific) |
+| `Register` | VK_OEM_FJ_TOUROKU | The Register Word key (OEM-specific) |
+| `LeftOyayubi` | VK_OEM_FJ_LOYA | The Left OYAYUBI key (OEM-specific) |
+| `RightOyayubi` | VK_OEM_FJ_ROYA | The Right OYAYUBI key (OEM-specific) |
+| `OemPlus` | VK_OEM_PLUS | For any country/region, the Plus Sign (+) key |
+| `OemComma` | VK_OEM_COMMA | For any country/region, the Comma (,) key |
+| `OemMinus` | VK_OEM_MINUS | For any country/region, the Minus Sign (-) key |
+| `OemPeriod` | VK_OEM_PERIOD | For any country/region, the Period (.) key |
+| `Oem1` | VK_OEM_1 | Varies by keyboard |
+| `Oem2` | VK_OEM_2 | Varies by keyboard |
+| `Oem3` | VK_OEM_3 | Varies by keyboard |
+| `Oem4` | VK_OEM_4 | Varies by keyboard |
+| `Oem5` | VK_OEM_5 | Varies by keyboard |
+| `Oem6` | VK_OEM_6 | Varies by keyboard |
+| `Oem7` | VK_OEM_7 | Varies by keyboard |
+| `Oem8` | VK_OEM_8 | Varies by keyboard |
+| `OemAX` | VK_OEM_AX | The AX key on a Japanese AX keyboard |
+| `Oem102` | VK_OEM_102 | Either the angle bracket key or the backslash key on the RT 102-key keyboard |
+
+## Function keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `F1` | VK_F1 | The F1 key |
+| `F2` | VK_F2 | The F2 key |
+| `F3` | VK_F3 | The F3 key |
+| `F4` | VK_F4 | The F4 key |
+| `F5` | VK_F5 | The F5 key |
+| `F6` | VK_F6 | The F6 key |
+| `F7` | VK_F7 | The F7 key |
+| `F8` | VK_F8 | The F8 key |
+| `F9` | VK_F9 | The F9 key |
+| `F10` | VK_F10 | The F10 key |
+| `F11` | VK_F11 | The F11 key |
+| `F12` | VK_F12 | The F12 key |
+| `F13` | VK_F13 | The F13 key |
+| `F14` | VK_F14 | The F14 key |
+| `F15` | VK_F15 | The F15 key |
+| `F16` | VK_F16 | The F16 key |
+| `F17` | VK_F17 | The F17 key |
+| `F18` | VK_F18 | The F18 key |
+| `F19` | VK_F19 | The F19 key |
+| `F20` | VK_F20 | The F20 key |
+| `F21` | VK_F21 | The F21 key |
+| `F22` | VK_F22 | The F22 key |
+| `F23` | VK_F23 | The F23 key |
+| `F24` | VK_F24 | The F24 key |
+
+## Numeric keypad keys
+
+| Key name | Virtual key | Description |
+| ----------------- | ----------- | ----------- |
+| `Numpad0` | VK_NUMPAD0 | The 0 key on the numeric keypad |
+| `Numpad1` | VK_NUMPAD1 | The 1 key on the numeric keypad |
+| `Numpad2` | VK_NUMPAD2 | The 2 key on the numeric keypad |
+| `Numpad3` | VK_NUMPAD3 | The 3 key on the numeric keypad |
+| `Numpad4` | VK_NUMPAD4 | The 4 key on the numeric keypad |
+| `Numpad5` | VK_NUMPAD5 | The 5 key on the numeric keypad |
+| `Numpad6` | VK_NUMPAD6 | The 6 key on the numeric keypad |
+| `Numpad7` | VK_NUMPAD7 | The 7 key on the numeric keypad |
+| `Numpad8` | VK_NUMPAD8 | The 8 key on the numeric keypad |
+| `Numpad9` | VK_NUMPAD9 | The 9 key on the numeric keypad |
+| `Multiply` | VK_MULTIPLY | The Multiply (*) key on the numeric keypad |
+| `Add` | VK_ADD | The Add (+) key on the numeric keypad |
+| `Subtract` | VK_SUBTRACT | The Subtract (-) key on the numeric keypad |
+| `Decimal` | VK_DECIMAL | The Decimal (.) key on the numeric keypad |
+| `Divide` | VK_DIVIDE | The Divide (/) key on the numeric keypad |
+
+## Related articles
+
+- [Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
new file mode 100644
index 0000000000..35788409b1
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
@@ -0,0 +1,71 @@
+---
+title: List all configured key combinations
+description: List all configured key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# List all configured key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to displays all key combination configurations for Keyboard Filter.
+
+## List-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ Enumerate all active keyboard filter rules on the system.
+.Description
+ For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
+ get the Enabled property. If Enabled, then output a short description
+ of the rule.
+.Parameter ComputerName
+ Optional parameter to specify the remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+write-host Enabled Predefined Keys -foregroundcolor cyan
+Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ write-host $_.Id
+ }
+ }
+
+write-host Enabled Custom Keys -foregroundcolor cyan
+Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ write-host $_.Id
+ }
+ }
+
+write-host Enabled Scancodes -foregroundcolor cyan
+Get-WMIObject -class WEKF_Scancode @CommonParams |
+ foreach {
+ if ($_.Enabled) {
+ "{0}+{1:X4}" -f $_.Modifiers, $_.Scancode
+ }
+ }
+```
+
+## Related articles
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
new file mode 100644
index 0000000000..7547ba9614
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
@@ -0,0 +1,26 @@
+---
+title: Windows PowerShell script samples for Keyboard Filter
+description: Windows PowerShell script samples for Keyboard Filter
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Windows PowerShell script samples for Keyboard Filter
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The list below describes sample Windows PowerShell scripts that demonstrate how to use the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+| Script | Description |
+| ------ | ----------- |
+| [Add blocked key combinations](keyboardfilter-add-blocked-key-combinations.md) | Demonstrates how to block key combinations for Keyboard Filter.|
+| [Disable all blocked key combinations](disable-all-blocked-key-combinations.md) | Demonstrates how to disable all blocked key combinations for Keyboard Filter. |
+| [List all configured key combinations](keyboardfilter-list-all-configured-key-combinations.md) | Demonstrates how to list all defined key combination configurations for Keyboard Filter. |
+| [Modify global settings](modify-global-settings.md) | Demonstrates how to modify global settings for Keyboard Filter. |
+| [Remove key combination configurations](remove-key-combination-configurations.md) | Demonstrates how to remove a custom defined key combination configuration for Keyboard Filter. |
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
new file mode 100644
index 0000000000..eeff8800eb
--- /dev/null
+++ b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
@@ -0,0 +1,23 @@
+---
+title: Keyboard Filter WMI provider reference
+description: Keyboard Filter WMI provider reference
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Keyboard Filter WMI provider reference
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Describes the Windows Management Instrumentation (WMI) provider classes that you use to configure Keyboard Filter during run time.
+
+| WMI Provider Class | Description |
+| ------------------ | ----------- |
+| [WEKF_CustomKey](wekf-customkey.md) | Blocks or unblocks custom defined key combinations. |
+| [WEKF_PredefinedKey](wekf-predefinedkey.md) | Blocks or unblocks predefined key combinations. |
+| [WEKF_Scancode](wekf-scancode.md) | Blocks or unblocks key combinations by using keyboard scan codes. |
+| [WEKF_Settings](wekf-settings.md) | Enables or disables settings for Keyboard Filter. |
+
+## Related topics
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/modify-global-settings.md b/windows/configuration/keyboard-filter/modify-global-settings.md
new file mode 100644
index 0000000000..39d26be872
--- /dev/null
+++ b/windows/configuration/keyboard-filter/modify-global-settings.md
@@ -0,0 +1,172 @@
+---
+title: Modify global settings
+description: Modify global settings
+ms.date: 01/13/2025
+ms.topic: how-to
+---
+
+# Modify global settings
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell scripts use the Windows Management Instrumentation (WMI) providers to modify global settings for Keyboard Filter.
+
+The function **Get-Setting** retrieves the value of a global setting for Keyboard Filter.
+
+In the first script, the function **Set-DisableKeyboardFilterForAdministrators** modifies the value of the **DisableKeyboardFilterForAdministrators** setting.
+
+In the second script, the function **Set-ForceOffAccessibility** modifies the value of the **ForceOffAccessibility** setting.
+
+## Set-DisableKeyboardFilterForAdministrators.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to enumerate WEKF_Settings to find global settings
+ that can be set on the keyboard filter. In this specific script, the
+ global setting to be set is "DisableKeyboardFilterForAdministrators".
+.Parameter ComputerName
+ Optional parameter to specify a remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+.Parameter On
+ Switch if present that sets "DisableKeyboardFilterForAdministrators" to
+ true. If not present, sets the setting to false.
+#>
+
+param (
+ [Switch] $On = $False,
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
+if ($PSBoundParameters.ContainsKey("ComputerName")) {
+ $CommonParams += @{"ComputerName" = $ComputerName};
+}
+
+function Get-Setting([String] $Name) {
+ <#
+ .Synopsis
+ Get a WMIObject by name from WEKF_Settings
+ .Parameter Name
+ The name of the setting, which is the key for the WEKF_Settings class.
+#>
+ $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
+ where {
+ $_.Name -eq $Name
+ }
+
+ return $Entry
+}
+
+function Set-DisableKeyboardFilterForAdministrators([Bool] $Value) {
+ <#
+ .Synopsis
+ Set the DisableKeyboardFilterForAdministrators setting to true or
+ false.
+ .Description
+ Set DisableKeyboardFilterForAdministrators to true or false based
+ on $Value
+ .Parameter Value
+ A Boolean value
+#>
+
+ $Setting = Get-Setting("DisableKeyboardFilterForAdministrators")
+ if ($Setting) {
+ if ($Value) {
+ $Setting.Value = "true"
+ } else {
+ $Setting.Value = "false"
+ }
+ $Setting.Put() | Out-Null;
+ } else {
+ Write-Error "Unable to find DisableKeyboardFilterForAdministrators setting";
+ }
+}
+
+Set-DisableKeyboardFilterForAdministrators $On
+```
+
+## Set-ForceOffAccessibility.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to enumerate WEKF_Settings to find global settings
+ that can be set on the keyboard filter. In this specific script, the
+ global setting to be set is "ForceOffAccessibility".
+.Parameter ComputerName
+ Optional parameter to specify a remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+.Parameter Enabled
+ Switch if present that sets "ForceOffAccessibility" to true. If not
+ present, sets the setting to false.
+#>
+
+param (
+ [Switch] $Enabled = $False,
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
+if ($PSBoundParameters.ContainsKey("ComputerName")) {
+ $CommonParams += @{"ComputerName" = $ComputerName};
+}
+
+function Get-Setting([String] $Name) {
+ <#
+ .Synopsis
+ Get a WMIObject by name from WEKF_Settings
+ .Parameter Name
+ The name of the setting, which is the key for the WEKF_Settings class.
+#>
+ $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
+ where {
+ $_.Name -eq $Name
+ }
+
+ return $Entry
+}
+
+function Set-ForceOffAccessibility([Bool] $Value) {
+ <#
+ .Synopsis
+ Set the ForceOffAccessibility setting to true or false.
+ .Description
+ Set ForceOffAccessibility to true or false based on $Value
+ .Parameter Value
+ A Boolean value
+#>
+
+ $Setting = Get-Setting("ForceOffAccessibility")
+ if ($Setting) {
+ if ($Value) {
+ $Setting.Value = "true"
+ } else {
+ $Setting.Value = "false"
+ }
+ $Setting.Put() | Out-Null;
+ } else {
+ Write-Error "Unable to find ForceOffAccessibility setting";
+ }
+}
+
+Set-ForceOffAccessibility $Enabled
+```
+
+## Related topics
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[WEKF_Settings](wekf-settings.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/predefined-key-combinations.md b/windows/configuration/keyboard-filter/predefined-key-combinations.md
new file mode 100644
index 0000000000..eb25a41a53
--- /dev/null
+++ b/windows/configuration/keyboard-filter/predefined-key-combinations.md
@@ -0,0 +1,160 @@
+---
+title: Predefined key combinations
+description: Predefined key combinations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Predefined key combinations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This topic lists a set of key combinations that are predefined by a keyboard filter. You can list the value of the WEKF_PredefinedKey.Id to get a complete list of key combinations defined by a keyboard filter.
+
+You can use the values in the WEKF_PredefinedKey.Id column to configure the Windows Management Instrumentation (WMI) class [WEKF_PredefinedKey](wekf-predefinedkey.md).
+
+## Accessibility keys
+
+The following table contains predefined key combinations for accessibility:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:-------------------------------------|:--------------------------|:----------------------------|
+| Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. |
+| Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. |
+| Windows logo key + U | **Win+U** | Open Ease of Access Center. |
+
+## Application keys
+
+The following table contains predefined key combinations for controlling application state:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:----------------------|:----------------------|:-------------------|
+| Alt + F4 | **Alt+F4** | Close application. |
+| Ctrl + F4 | **Ctrl+F4** | Close window. |
+| Windows logo key + F1 | **Win+F1** | Open Windows Help. |
+
+## Shell keys
+
+The following table contains predefined key combinations for general UI control:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
+| Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. |
+| Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. |
+| Ctrl + Windows logo key + F | **Ctrl+Win+F** | Open Find Computers. |
+| Windows logo key + Break | **Win+Break** | Open System dialog box. |
+| Windows logo key + E | **Win+E** | Open Windows Explorer. |
+| Windows + F | **Win+F** | Open Search. |
+| Windows logo key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations. |
+| Windows logo key + R | **Win+R** | Open Run dialog box. |
+| Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. |
+| Ctrl + Tab | **Ctrl+Tab** | Switch window. |
+| Windows logo key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. |
+| Windows logo key + D | **Win+D** | Show desktop. |
+| Windows logo key + M | **Win+M** | Minimize all windows. |
+| Windows logo key + Home | **Win+Home** | Minimize or restore all inactive windows. |
+| Windows logo key + T | **Win+T** | Set focus on taskbar and cycle through programs. |
+| Windows logo key + B | **Win+B** | Set focus in the notification area. |
+| Windows logo key + Minus Sign | **Win+-** | Zoom out. |
+| Windows logo key + Plus Sign | **Win++** | Zoom in. |
+| Windows logo key + Esc | **Win+Esc** | Close Magnifier application. |
+| Windows logo key + Up Arrow | **Win+Up** | Maximize the active window. |
+| Windows logo key + Down Arrow | **Win+Down** | Minimize the active window. |
+| Windows logo key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. |
+| Windows logo key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. |
+| Windows logo key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. |
+| Windows logo key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. |
+| Windows logo key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. |
+| Windows logo key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. |
+| Windows logo key + Spacebar | **Win+Space** | Switch layout. |
+| Windows logo key + O | **Win+O** | Lock device orientation. |
+| Windows logo key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. |
+| Windows logo key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. |
+| Windows logo key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination. |
+| Windows logo key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). |
+| Windows logo key + I | **Win+I** | Open Settings charm. |
+| Windows logo key + K | **Win+K** | Open Connect charm. |
+| Windows logo key + H | **Win+H** | Start dictation. |
+| Windows logo key + Q | **Win+Q** | Open Search charm. |
+| Windows logo key + W | **Win+W** | Open Windows Ink workspace. |
+| Windows logo key + Z | **Win+Z** | Open app bar. |
+| Windows logo key + / | **Win+/** | Open input method editor (IME). |
+| Windows logo key + J | **Win+J** | Swap between snapped and filled applications. |
+| Windows logo key + Comma | **Win+,** | Peek at the desktop. |
+| Windows logo key + V | **Win+V** | Cycle through toasts in reverse order. |
+
+## Modifier keys
+
+The following table contains predefined key combinations for modifier keys (such as Shift and Ctrl):
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:-----------------|:----------------------|:-----------------------|
+| Alt | **Alt** | Both Alt keys |
+| Application | **Application** | Application key |
+| Ctrl | **Ctrl** | Both Ctrl keys |
+| Shift | **Shift** | Both Shift keys |
+| Windows logo key | **Windows** | Both Windows logo keys |
+
+## Security keys
+
+The following table contains predefined key combinations for OS security:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
+|:-----------------------|:----------------------|:----------------------------------|
+| Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. |
+| Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. |
+| Windows logo key + L | **Win+L** | Lock the device. |
+
+## Extended shell keys
+
+The following table contains predefined key combinations for extended shell functions (such as automatically opening certain apps):
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:--------------------|:----------------------|:------------------------|
+| LaunchMail | **LaunchMail** | Start Mail key |
+| LaunchMediaSelect | **LaunchMediaSelect** | Select Media key |
+| LaunchApp1 | **LaunchApp1** | Start Application 1 key |
+| LaunchApp2 | **LaunchApp2** | Start Application 2 key |
+
+## Browser keys
+
+The following table contains predefined key combinations for controlling the browser:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:-----------------|:----------------------|:---------------------------|
+| BrowserBack | **BrowserBack** | Browser Back key |
+| BrowserForward | **BrowserForward** | Browser Forward key |
+| BrowserRefresh | **BrowserRefresh** | Browser Refresh key |
+| BrowserStop | **BrowserStop** | Browser Stop key |
+| BrowserSearch | **BrowserSearch** | Browser Search key |
+| BrowserFavorites | **BrowserFavorites** | Browser Favorites key |
+| BrowserHome | **BrowserHome** | Browser Start and Home key |
+
+## Media keys
+
+The following table contains predefined key combinations for controlling media playback:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:----------------|:----------------------|:---------------------|
+| VolumeMute | **VolumeMute** | Volume Mute key |
+| VolumeDown | **VolumeDown** | Volume Down key |
+| VolumeUp | **VolumeUp** | Volume Up key |
+| MediaNext | **MediaNext** | Next Track key |
+| MediaPrev | **MediaPrev** | Previous Track key |
+| MediaStop | **MediaStop** | Stop Media key |
+| MediaPlayPause | **MediaPlayPause** | Play/Pause Media key |
+
+## Microsoft Surface keyboard keys
+
+The following table contains predefined key combinations for Microsoft Surface devices:
+
+| Key combination | WEKF_PredefinedKey.Id | Blocked key |
+|:------------------------------|:----------------------|:-------------|
+| Left Alt + Windows logo key | **AltWin** | Share key |
+| Left Ctrl + Windows logo key | **CtrlWin** | Devices key |
+| Left Shift + Windows logo key | **ShiftWin** | Search key |
+| F21 | **F21** | Settings key |
+
+## Related topics
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
new file mode 100644
index 0000000000..624edc69f4
--- /dev/null
+++ b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
@@ -0,0 +1,106 @@
+---
+title: Remove key combination configurations
+description: Remove key combination configurations
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# Remove key combination configurations
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create two functions to remove custom-defined key combination configurations from Keyboard Filter. It demonstrates several ways to use each function.
+
+The first function, **Remove-Custom-Key**, removes custom key combination configurations.
+
+The second function, **Remove-Scancode**, removes custom scan code configurations.
+
+You can't remove the predefined key combination configurations for Keyboard Filter, but you can disable them.
+
+## Remove-rules.ps1
+
+```powershell
+#
+# Copyright (C) Microsoft. All rights reserved.
+#
+
+<#
+.Synopsis
+ This script shows how to use the build in WMI providers to remove keyboard filter rules. Rules of type WEKF_PredefinedKey cannot be removed.
+.Parameter ComputerName
+ Optional parameter to specify the remote computer that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+
+param(
+ [string] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Remove-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Remove an instance of WEKF_CustomKey
+ .Description
+ Enumerate all instances of WEKF_CustomKey. When an instance has an
+ Id that matches $Id, delete it.
+ .Example
+ Remove-Custom-Key "Ctrl+V"
+
+ This removes the instance of WEKF_CustomKey with a key Id of "Ctrl+V"
+#>
+
+ $customInstance = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {$_.Id -eq $Id}
+
+ if ($customInstance) {
+ $customInstance.Delete();
+ "Removed Custom Filter $Id.";
+ } else {
+ "Custom Filter $Id does not exist.";
+ }
+}
+
+function Remove-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Remove and instance of WEKF_Scancode
+ .Description
+ Enumerate all instances of WEKF_Scancode. When an instance has a
+ matching modifiers and code, delete it.
+ .Example
+ Remove-Scancode "Ctrl" 37
+
+ This removes the instance of WEKF_Scancode with Modifiers="Ctrl" and
+ Scancode=37.
+#>
+
+ $scancodeInstance = Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)}
+
+ if ($scancodeInstance) {
+ $scancodeInstance.Delete();
+ "Removed Scancode $Modifiers+$Code.";
+ } else {
+ "Scancode $Modifiers+$Code does not exist.";
+ }
+}
+
+# Some example uses of the functions defined above.
+Remove-Custom-Key "Ctrl+V"
+Remove-Custom-Key "Numpad0"
+Remove-Custom-Key "Shift+Numpad1"
+Remove-Custom-Key "%"
+Remove-Scancode "Ctrl" 37
+```
+
+## Related articles
+
+[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
+
+[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard filter](index.md)
diff --git a/windows/configuration/keyboard-filter/toc.yml b/windows/configuration/keyboard-filter/toc.yml
new file mode 100644
index 0000000000..7c09e1a75c
--- /dev/null
+++ b/windows/configuration/keyboard-filter/toc.yml
@@ -0,0 +1,53 @@
+items:
+- name: Keyboard Filter
+ items:
+ - name: About keyboard filter
+ href: index.md
+ - name: Key Names
+ href: keyboardfilter-key-names.md
+ - name: Predefined Key Combinations
+ href: keyboardfilter-list-all-configured-key-combinations.md
+ - name: WMI Provider Reference
+ items:
+ - name: Overview
+ href: keyboardfilter-wmi-provider-reference.md
+ - name: Class WEKF_CustomKey
+ items:
+ - name: Overview
+ href: wekf-customkey.md
+ - name: Add
+ href: wekf-customkeyadd.md
+ - name: Remove
+ href: wekf-customkeyremove.md
+ - name: Class WEKF_PredefinedKey
+ items:
+ - name: Overview
+ href: wekf-predefinedkey.md
+ - name: Disable
+ href: wekf-predefinedkeydisable.md
+ - name: Enable
+ href: wekf-predefinedkeyenable.md
+ - name: Class WEKF_Scancode
+ items:
+ - name: Overview
+ href: wekf-scancode.md
+ - name: Add
+ href: wekf-scancodeadd.md
+ - name: Remove
+ href: wekf-scancoderemove.md
+ - name: Class WEKF-Settings
+ href: wekf-settings.md
+ - name: PowerShell script samples
+ items:
+ - name: Overview
+ href: keyboardfilter-powershell-script-samples.md
+ - name: Add blocked key Combinations
+ href: keyboardfilter-add-blocked-key-combinations.md
+ - name: Disable all blocked key Combinations
+ href: disable-all-blocked-key-combinations.md
+ - name: List all configured key combinations
+ href: keyboardfilter-list-all-configured-key-combinations.md
+ - name: Modify global settings
+ href: modify-global-settings.md
+ - name: Remove key combination configurations
+ href: remove-key-combination-configurations.md
\ No newline at end of file
diff --git a/windows/configuration/keyboard-filter/wekf-customkey.md b/windows/configuration/keyboard-filter/wekf-customkey.md
new file mode 100644
index 0000000000..dcc812049e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkey.md
@@ -0,0 +1,128 @@
+---
+title: WEKF_CustomKey
+description: WEKF_CustomKey
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+
+# WEKF_CustomKey
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Adds or removes custom-defined key combinations.
+
+## Syntax
+
+```powershell
+class WEKF_CustomKey {
+ [Static] uint32 Add(
+ [In] string CustomKey
+ );
+ [Static] uint32 Remove(
+ [In] string CustomKey
+ );
+
+ [Key] string Id;
+ [Read, Write] boolean Enabled;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WEKF_CustomKey.Add](wekf-customkeyadd.md) | Creates a new custom key combination and enables Keyboard Filter to block the new key combination. |
+| [WEKF_CustomKey.Remove](wekf-customkeyremove.md) | Removes the specified custom key combination. Keyboard Filter stops blocking the key combination that was removed. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|--------------|
+| **Id** | string | [key] | The name of the custom key combination. |
+| **Enabled** | Boolean | [read, write] | Indicates if the key is blocked or unblocked. This property can be one of the following values - **true** Indicates that the key is blocked.- **false** Indicates that the key isn't blocked. |
+
+### Remarks
+
+You can specify key combinations by including the modifier keys in the name. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win. You can't block a combination of non-modifier keys. For example, you can block a key combination of >Ctrl+>Shift+>F, but you can't block a key combination of >A+>D.
+
+When you block a >Shift-modified key, you must enter the key as >Shift + the unmodified key. For example, to block the >% key on an English keyboard layout, you must specify the key as >Shift+>5. Attempting to block >%, results in Keyboard Filter blocking >5 instead.
+
+When you specify the key combination to block, you must use the English names for the keys. For a list of the key names you can specify, see Keyboard Filter key names.
+
+## Example
+
+The following code demonstrates how to add or enable a custom key combination that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly and doesn't call any of the methods defined in **WEKF_CustomKey**.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the WMI provider to enable and add
+ Keyboard Filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Custom-Key($Id) {
+ <#
+ .Synopsis
+ Toggle on a Custom Key Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+
+ In the case that the Custom instance does not exist, add a new
+ instance of WEKF_CustomKey using Set-WMIInstance.
+ .Example
+ Enable-Custom-Key "Ctrl+V"
+
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($custom) {
+# Rule exists. Just enable it.
+ $custom.Enabled = 1;
+ $custom.Put() | Out-Null;
+ "Enabled Custom Filter $Id.";
+
+ } else {
+ Set-WMIInstance `
+ -class WEKF_CustomKey `
+ -argument @{Id="$Id"} `
+ @CommonParams | Out-Null
+
+ "Added Custom Filter $Id.";
+ }
+}
+
+
+# Some example uses of the function defined above.
+
+Enable-Custom-Key "Ctrl+V"
+Enable-Custom-Key "Numpad0"
+Enable-Custom-Key "Shift+Numpad1"
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter key names](keyboardfilter-key-names.md)
diff --git a/windows/configuration/keyboard-filter/wekf-customkeyadd.md b/windows/configuration/keyboard-filter/wekf-customkeyadd.md
new file mode 100644
index 0000000000..a48eeedb72
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkeyadd.md
@@ -0,0 +1,94 @@
+---
+title: WEKF_CustomKey.Add
+description: WEKF_CustomKey.Add
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_CustomKey.Add
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Creates a new custom key combination and enables Keyboard Filter to block the new key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Add(
+ [In] string CustomKey
+);
+```
+
+## Parameters
+
+**CustomKey**\[in\] The custom key combination to add. For a list of valid key names, see [Keyboard Filter key names](keyboardfilter-key-names.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates a [WMI Non-Error Constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI Error Constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_CustomKey.Add** creates a new **WEKF_CustomKey** object and sets the **Enabled** property of the new object to **true**, and the **Id** property to *CustomKey*.
+
+If a **WEKF_CustomKey** object already exists with the **Id** property equal to *CustomKey*, then **WEKF_CustomKey.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_CustomKey** object has the **Enabled** property set to **false**, Keyboard Filter does not block the custom key combination.
+
+## Example
+
+The following code demonstrates how to add or enable a custom key that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods
+$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
+
+# Create a function to add or enable a key combination for Keyboard Filter to block
+function Enable-Custom-Key($KeyId) {
+
+# Check to see if the custom key object already exists
+ $objCustomKey = Get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey |
+ where {$_.Id -eq "$KeyId"};
+
+ if ($objCustomKey) {
+
+# The custom key already exists, so just enable it
+ $objCustomKey.Enabled = 1;
+ $objCustomKey.Put() | Out-Null;
+ "Enabled ${KeyId}.";
+
+ } else {
+
+# Create a new custom key object by calling the static Add method
+ $retval = $classCustomKey.Add($KeyId);
+
+# Check the return value to verify that the Add is successful
+ if ($retval.ReturnValue -eq 0) {
+ "Added ${KeyID}."
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+ }
+}
+
+# Enable Keyboard Filter to block several custom keys
+
+Enable-Custom-Key "Ctrl+v"
+Enable-Custom-Key "Ctrl+v"
+Enable-Custom-Key "Shift+4"
+Enable-Custom-Key "Ctrl+Alt+w"
+
+# List all the currently existing custom keys
+
+$objCustomKeyList = get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey
+foreach ($objCustomKeyItem in $objCustomKeyList) {
+ "Custom key: " + $objCustomKeyItem.Id
+ " enabled: " + $objCustomKeyItem.Enabled
+ }
+```
+
+## Related articles
+
+- [WEKF_CustomKey](wekf-customkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-customkeyremove.md b/windows/configuration/keyboard-filter/wekf-customkeyremove.md
new file mode 100644
index 0000000000..26b1d35bdc
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-customkeyremove.md
@@ -0,0 +1,86 @@
+---
+title: WEKF_CustomKey.Remove
+description: WEKF_CustomKey.Remove
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_CustomKey.Remove
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Removes a custom key combination, causing Keyboard Filter to stop blocking the removed key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Remove(
+ [In] string CustomKey
+);
+```
+
+## Parameters
+
+**CustomKey**\[in\] The custom key combination to remove.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_CustomKey.Remove** removes an existing **WEKF_CustomKey** object. If the object doesn't exist, **WEKF_CustomKey.Remove** returns an error with the value 0x8007007B.
+
+Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
+
+## Example
+
+The following code demonstrates how to remove a custom key from Keyboard Filter so it's no longer blocked by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods
+$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
+
+# Create a function to remove a key combination
+function Remove-Custom-Key($KeyId) {
+
+# Call the static Remove() method on the class reference
+ $retval = $classCustomKey.Remove($KeyId)
+
+# Check the return value for status
+ if ($retval.ReturnValue -eq 0) {
+
+# Custom key combination removed successfully
+ "Removed ${KeyID}."
+ } elseif ($retval.ReturnValue -eq 2147942523) {
+
+# No object exists with the specified custom key
+ "Failed to remove ${KeyID}. No object found."
+ } else {
+
+# Unknown error, report error code in hexadecimal
+ "Failed to remove ${KeyID}. Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+
+# Example of removing a custom key so that Keyboard Filter stops blocking it
+Remove-Custom-Key "Ctrl+Alt+w"
+
+# Example of removing all custom keys that have the Enabled property set to false
+$objDisabledCustomKeys = Get-WmiObject -Namespace $NAMESPACE -Class WEKF_CustomKey;
+
+foreach ($objCustomKey in $objDisabledCustomKeys) {
+ if (!$objCustomKey.Enabled) {
+ Remove-Custom-Key($objCustomKey.Id);
+ }
+}
+```
+
+## Related topics
+
+- [WEKF_CustomKey](wekf-customkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkey.md b/windows/configuration/keyboard-filter/wekf-predefinedkey.md
new file mode 100644
index 0000000000..dd5de7d93a
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkey.md
@@ -0,0 +1,112 @@
+---
+title: WEKF_PredefinedKey
+description: WEKF_PredefinedKey
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This class blocks or unblocks predefined key combinations, such as Ctrl+Alt+Delete.
+
+## Syntax
+
+```powershell
+class WEKF_PredefinedKey {
+ [Static] uint32 Enable (
+ [In] string PredefinedKey
+ );
+ [Static] uint32 Disable (
+ [In] string PredefinedKey
+ );
+
+ [Key] string Id;
+ [Read, Write] boolean Enabled;
+};
+```
+
+## Members
+
+The following tables list any constructors, methods, fields, and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|:-----------------------------------------------------------|:---------------------------------------|
+| [WEKF_PredefinedKey.Enable](wekf-predefinedkeyenable.md) | Blocks the specified predefined key. |
+| [WEKF_PredefinedKey.Disable](wekf-predefinedkeydisable.md) | Unblocks the specified predefined key. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|:------------|:----------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Id** | string | [key] | The name of the predefined key combination. |
+| **Enabled** | Boolean | [read, write] | Indicates whether the key is blocked or unblocked. To indicate that the key is blocked, specify **true**. To indicate that the key isn't blocked, specify **false**. |
+
+### Remarks
+
+All accounts have read access to the **WEKF_PRedefinedKey** class, but only administrator accounts can modify the class.
+
+For a list of predefined key combinations for Keyboard Filter, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Example
+
+The following sample Windows PowerShell script blocks the Ctrl+Alt+Delete and the Ctrl+Esc key combinations when the Keyboard Filter service is running.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the built in WMI providers to enable and add
+ Keyboard Filter rules through Windows PowerShell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+function Enable-Predefined-Key($Id) {
+ <#
+ .Synposis
+ Toggle on a Predefined Key Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
+ filter against key value "Id", and set that instance's "Enabled"
+ property to 1/true.
+ .Example
+ Enable-Predefined-Key "Ctrl+Alt+Delete"
+
+ Enable CAD filtering
+#>
+
+ $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
+ where {
+ $_.Id -eq "$Id"
+ };
+
+ if ($predefined) {
+ $predefined.Enabled = 1;
+ $predefined.Put() | Out-Null;
+ Write-Host Enabled $Id
+ } else {
+ Write-Error $Id is not a valid predefined key
+ }
+}
+
+# Some example uses of the function defined above.
+
+Enable-Predefined-Key "Ctrl+Alt+Delete"
+Enable-Predefined-Key "Ctrl+Esc"
+```
+
+## Related articles
+
+- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
new file mode 100644
index 0000000000..b49d3383f0
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
@@ -0,0 +1,34 @@
+---
+title: WEKF_PredefinedKey.Disable
+description: WEKF_PredefinedKey.Disable
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey.Disable
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Unblocks the specified predefined key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Disable(
+ [In] string PredefinedKey
+);
+```
+
+## Parameters
+
+**PredefinedKey**\[in\] The predefined key combination to unblock. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI Non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+
+## Related articles
+
+- [WEKF_PredefinedKey](wekf-predefinedkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
new file mode 100644
index 0000000000..a674afda86
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
@@ -0,0 +1,33 @@
+---
+title: WEKF_PredefinedKey.Enable
+description: WEKF_PredefinedKey.Enable
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_PredefinedKey.Enable
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method blocks the specified predefined key combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Enable(
+ [In] string PredefinedKey
+);
+```
+
+## Parameters
+
+**PredefinedKey**The predefined key combination to block. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Related articles
+
+- [WEKF_PredefinedKey](wekf-predefinedkey.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancode.md b/windows/configuration/keyboard-filter/wekf-scancode.md
new file mode 100644
index 0000000000..8cfb7b0f6e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancode.md
@@ -0,0 +1,126 @@
+---
+title: WEKF_Scancode
+description: WEKF_Scancode
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Blocks or unblocks key combinations by using the keyboard scan code, which is an integer number that is generated whenever a key is pressed or released.
+
+## Syntax
+
+```powershell
+class WEKF_Scancode {
+ [Static] uint32 Add(
+ [In] string Modifiers,
+ [In] uint16 scancode
+ );
+ [Static] uint32 Remove(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+ );
+
+ [Key] string Modifiers;
+ [Key] uint16 Scancode;
+ [Read, Write] boolean Enabled;
+}
+```
+
+## Members
+
+The following tables list any constructors, methods, fields, and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WEKF_Scancode.Add](wekf-scancodeadd.md) | Adds a new custom scan code combination and enables Keyboard Filter to block the new scan code combination. |
+| [WEKF_Scancode.Remove](wekf-scancoderemove.md) | Removes the specified custom scan code combination. Keyboard Filter stops blocking the scan code combination that was removed. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Modifiers** | string | [key] | The modifier keys that are part of the key combination to block. |
+| **Scancode** | uint16 | [key] | The scan code part of the key combination to block. |
+| **Enabled** | Boolean | [read, write] | Indicates whether the scan code is blocked or unblocked. This property can be one of the following values:- **true** Indicates that the scan code is blocked.- **false** Indicates that the scan code isn't blocked. |
+
+### Remarks
+
+Scan codes are generated by the keyboard whenever a key is pressed. The same physical key will always generate the same scan code, regardless of which keyboard layout is currently being used by the system.
+
+You can specify key combinations by including the modifier keys in the *Modifiers* parameter of the **Add** method or by modifying the **Modifiers** property. The most common modifier names are >Ctrl, >Shift, >Alt, and >Win.
+
+## Example
+
+The following code demonstrates how to add or enable a keyboard scan code that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly, and doesn't call any of the methods defined in **WEKF_Scancode**.
+
+```powershell
+<#
+.Synopsis
+ This script shows how to use the WMI provider to enable and add
+ Keyboard Filter rules through Windows Powershell on the local computer.
+.Parameter ComputerName
+ Optional parameter to specify a remote machine that this script should
+ manage. If not specified, the script will execute all WMI operations
+ locally.
+#>
+param (
+ [String] $ComputerName
+)
+
+$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
+$CommonParams += $PSBoundParameters
+
+
+function Enable-Scancode($Modifiers, [int]$Code) {
+ <#
+ .Synopsis
+ Toggle on a Scancode Keyboard Filter Rule
+ .Description
+ Use Get-WMIObject to enumerate all WEKF_Scancode instances,
+ filter against key values of "Modifiers" and "Scancode", and set
+ that instance's "Enabled" property to 1/true.
+
+ In the case that the Scancode instance does not exist, add a new
+ instance of WEKF_Scancode using Set-WMIInstance.
+ .Example
+ Enable-Predefined-Key "Ctrl+V"
+
+ Enable filtering of the Ctrl + V sequence.
+#>
+
+ $scancode =
+ Get-WMIObject -class WEKF_Scancode @CommonParams |
+ where {
+ ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
+ }
+
+ if($scancode) {
+ $scancode.Enabled = 1
+ $scancode.Put() | Out-Null
+ "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ } else {
+ Set-WMIInstance `
+ -class WEKF_Scancode `
+ -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
+ @CommonParams | Out-Null
+
+ "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
+ }
+}
+
+# Some example uses of the function defined above.
+
+Enable-Scancode "Ctrl" 37
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancodeadd.md b/windows/configuration/keyboard-filter/wekf-scancodeadd.md
new file mode 100644
index 0000000000..cd4b70efe8
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancodeadd.md
@@ -0,0 +1,42 @@
+---
+title: WEKF_Scancode.Add
+description: WEKF_Scancode.Add
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode.Add
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method adds a new custom scan code combination and enables Keyboard Filter to block the new combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Add(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+);
+```
+
+## Parameters
+
+**Modifers**The modifier keys that are part of the key combination to block.
+
+**Scancode**The hardware scan code of the key to block.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_Scancode.Add** creates a new **WEKF_Scancode** object and sets the **Enabled** property of the new object to **true**.
+
+If a **WEKF_Scancode** object already exists with same *Modifiers* and *Scancode* properties, then **WEKF_Scancode.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_Scancode** object has the **Enabled** property set to **false**, Keyboard Filter doesn't block the scan code.
+
+## Related articles
+
+- [WEKF_Scancode](wekf-scancode.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-scancoderemove.md b/windows/configuration/keyboard-filter/wekf-scancoderemove.md
new file mode 100644
index 0000000000..18bc6d3514
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-scancoderemove.md
@@ -0,0 +1,42 @@
+---
+title: WEKF_Scancode.Remove
+description: WEKF_Scancode.Remove
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Scancode.Remove
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+This method removes a custom scan code key combination, causing Keyboard Filter to stop blocking the removed combination.
+
+## Syntax
+
+```powershell
+[Static] uint32 Remove(
+ [In] string Modifiers,
+ [In] uint16 Scancode
+);
+```
+
+## Parameters
+
+**Modifiers**The modifier keys of the combination to remove.
+
+**Scancode**The scan code of the combination to remove.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**WEKF_Scancode.Remove** removes an existing **WEKF_Scancode** object. If the object doesn't exist, **WEKF_Scancode.Remove** returns an error with the value 0x8007007B.
+
+Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
+
+## Related articles
+
+- [WEKF_Scancode](wekf-scancode.md)
+- [Keyboard Filter](index.md)
diff --git a/windows/configuration/keyboard-filter/wekf-settings.md b/windows/configuration/keyboard-filter/wekf-settings.md
new file mode 100644
index 0000000000..df43feb21e
--- /dev/null
+++ b/windows/configuration/keyboard-filter/wekf-settings.md
@@ -0,0 +1,95 @@
+---
+title: WEKF_Settings
+description: WEKF_Settings
+ms.date: 01/13/2025
+ms.topic: reference
+---
+
+# WEKF_Settings
+
+[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
+
+Enables or disables settings for Keyboard Filter.
+
+## Syntax
+
+```powershell
+class WEKF_Settings {
+ [Key] string Name;
+ [Read, Write] string Value;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Name** | string | [key] | Indicates the name of the Keyboard Filter setting that this object represents. See the Remarks section for a list of valid setting names. |
+| **Value** | string | [read, write] | Represents the value of the **Name** setting. The value isn't case-sensitive. See the Remarks section for a list of valid values for each setting. |
+
+### Remarks
+
+You must be signed in to an administrator account to make any changes to this class.
+
+Each **WEKF_Settings** object represents a single Keyboard Filter setting. You can enumerate across all **WEKF_Settings** objects to see the value of all Keyboard Filter settings.
+
+The following table lists all settings available for Keyboard Filter.
+
+| Setting name | Description |
+|--------------|-------------|
+| **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. |
+| **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. |
+| **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key. |
+
+One instance of the **WEKF_Settings** class exists for each valid setting.
+
+Changes to the **DisableKeyboardFilterForAdministrator** setting are applied when an administrator account signs in, and applies to all applications run during the user session. If a user without an administrator account runs an application as an administrator, Keyboard Filter is still enabled, regardless of the **DisableKeyboardFilterForAdministrator** setting.
+
+Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device.
+
+If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows logo key or the right Windows logo key, both Windows Logo keys will work as the breakout key.
+
+The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled.
+
+> [!IMPORTANT]
+> On some devices, if the breakout key is pressed too rapidly, the key presses may not register. We recommend that you include a slight pause between each breakout key press.
+
+> [!WARNING]
+> When setting the **BreakoutKeyScanCode**, be sure to use the scan code of the key, and not the virtual key value.
+
+### Example
+
+The following Windows PowerShell script demonstrates how to use this class to modify the breakout mode key for Keyboard Filter. This example sets the **BreakoutKeyScanCode** setting to the scan code for the Home key on a standard keyboard.
+
+```powershell
+#---Define variables---
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define the decimal scan code of the Home key
+
+$HomeKeyScanCode = 71
+
+# Get the BreakoutKeyScanCode setting from WEKF_Settings
+
+$BreakoutMode = get-wmiobject -class wekf_settings -namespace $NAMESPACE | where {$_.name -eq "BreakoutKeyScanCode"}
+
+# Set the breakout key to the Home key.
+
+$BreakoutMode.value = $HomeKeyScanCode
+
+# Push the change into the WMI configuration. You must restart your device before this change takes effect.
+
+$BreakoutMode.put()
+```
+
+## Related articles
+
+[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
+
+[Keyboard Filter](index.md)
diff --git a/windows/configuration/shell-launcher/browser-support.md b/windows/configuration/shell-launcher/browser-support.md
new file mode 100644
index 0000000000..1c3b383033
--- /dev/null
+++ b/windows/configuration/shell-launcher/browser-support.md
@@ -0,0 +1,47 @@
+---
+title: Browser Support
+ms.date: 03/30/2023
+ms.topic: concept-article
+description: Learn about browser support in Kiosk Mode
+---
+
+# Browser Support
+
+Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
+
+## Microsoft Edge Kiosk Mode
+
+> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
+
+[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+
+* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+
+Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+
+## Internet Explorer 11
+
+[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases.
+
+In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser.
+
+> [!NOTE]
+> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
+>
+> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
+
+## Supported Versions
+
+| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge |
+|--|--|--|--|
+| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
+| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
+| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
+| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
+| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
+
+## Additional Resources
+
+* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
+* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/shell-launcher/index.md b/windows/configuration/shell-launcher/index.md
new file mode 100644
index 0000000000..50eeb99ef6
--- /dev/null
+++ b/windows/configuration/shell-launcher/index.md
@@ -0,0 +1,344 @@
+---
+title: Shell Launcher
+description: Shell Launcher
+ms.date: 06/07/2018
+ms.topic: overview
+---
+
+# Shell Launcher
+
+Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+
+You can also configure Shell Launcher to launch different shell applications for different users or user groups.
+
+There are a few exceptions to the applications and executables you can use as a custom shell:
+
+- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
+- You can't use a Universal Windows app as a custom shell.
+- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
+- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
+- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
+
+> [!NOTE]
+> You cannot configure both Shell Launcher and assigned access on the same system.
+>
+> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
+
+Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
+
+Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
+
+Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
+
+> [!NOTE]
+>
+> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
+>
+> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
+
+## Differences between Shell Launcher v1 and Shell Launcher v2
+
+Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
+Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
+In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
+
+- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
+- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
+- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
+For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
+
+## Requirements
+
+Windows 10 Enterprise or Windows 10 Education.
+
+## Terminology
+
+- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
+- **Configure:** To customize the setting or subsettings.
+- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
+- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
+
+## Turn on Shell Launcher
+
+Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
+
+### Enable Shell Launcher using Control Panel
+
+1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
+1. In the **Programs and Features** window, select **Turn Windows features on or off**.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
+1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+1. Select **Close** to close the **Windows Features** window.
+
+> [!NOTE]
+> Turning on Shell Launcher does not require a device restart.
+
+### Enable Shell Launcher by calling WESL_UserSetting
+
+1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
+1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
+
+This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
+
+### Enable Shell Launcher using DISM
+
+1. Open a command prompt with administrator privileges.
+1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
+1. Create a new directory.
+
+ ```CMD
+ md c:\wim
+ ```
+
+1. Mount the image.
+
+ ```CMD
+ dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+ ```
+
+1. Enable the feature.
+
+ ```CMD
+ dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
+ ```
+
+1. Commit the change.
+
+ ```CMD
+ dism /unmount-wim /MountDir:c:\wim /Commit
+ ```
+
+### Enable Shell Launcher using Windows Configuration Designer
+
+The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
+
+Use the following steps to create a provisioning package that contains the ShellLauncher settings.
+
+1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
+1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
+1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
+1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
+
+## Configure Shell Launcher
+
+There are two ways you can configure Shell Launcher:
+
+1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
+1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
+
+You can configure the following options for Shell Launcher:
+
+- Enable or disable Shell Launcher.
+- Specify a shell configuration for a specific user or group.
+- Remove a shell configuration for a specific user or group.
+- Change the default shell configuration.
+- Get information on a shell configuration for a specific user or group.
+
+Any changes don't take effect until a user signs in.
+
+## Launch different shells for different user accounts
+
+By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
+
+You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
+
+If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
+
+For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
+
+When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
+
+## Perform an action when the shell exits
+
+When a custom shell exits, Shell Launcher can perform one of four actions:
+
+|Action|Description|
+|:---:|:---|
+|0|Restart the shell.|
+|1|Restart the device.|
+|2|Shut down the device.|
+|3|Do nothing.|
+
+> [!IMPORTANT]
+> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
+
+### Default return code action
+
+You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
+
+### Map the exit code to a Shell Launcher action
+
+Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
+
+If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
+
+For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
+
+- restart the device (1) when the shell returns an exit code of value -1
+- restart the shell (0) when the shell returns an exit code of value 0
+- do nothing (3) when the shell returns an exit code of value 1
+- shut down the device (2) when the shell returns an exit code of value 255
+
+Your custom return code action mapping would look like this:
+
+|Exit code|Action|
+|:----:|----|
+|-1|1 (restart the device)|
+|0|0 (restart the shell)|
+|1|3 (do nothing)|
+|255|2 (shut down the device)|
+
+## Set your custom shell
+
+Modify the following PowerShell script as appropriate and run the script on the device.
+
+```PowerShell
+# Check if shell launcher license is enabled
+function Check-ShellLauncherLicenseEnabled
+{
+ [string]$source = @"
+using System;
+using System.Runtime.InteropServices;
+
+static class CheckShellLauncherLicense
+{
+ const int S_OK = 0;
+
+ public static bool IsShellLauncherLicenseEnabled()
+ {
+ int enabled = 0;
+
+ if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
+ enabled = 0;
+ }
+ return (enabled != 0);
+ }
+
+ static class NativeMethods
+ {
+ [DllImport("Slc.dll")]
+ internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
+ }
+
+}
+"@
+
+ $type = Add-Type -TypeDefinition $source -PassThru
+
+ return $type[0]::IsShellLauncherLicenseEnabled()
+}
+
+[bool]$result = $false
+
+$result = Check-ShellLauncherLicenseEnabled
+"`nShell Launcher license enabled is set to " + $result
+if (-not($result))
+{
+ "`nThis device doesn't have required license to use Shell Launcher"
+ exit
+}
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+try {
+ $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+ } catch [Exception] {
+ write-host $_.Exception.Message;
+ write-host "Make sure Shell Launcher feature is enabled"
+ exit
+ }
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+$do_nothing = 3
+
+# Examples. You can change these examples to use the program that you want to use as the shell.
+
+# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Enable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($TRUE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+
+# Disable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($FALSE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+```
+
+> [!NOTE]
+> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
+
+## Shell Launcher user rights
+
+A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
+
+> [!WARNING]
+> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
+
+## Related articles
+
+- [Unbranded Boot](../unbranded-boot/index.md)
+- [Custom Logon](../custom-logon/index.md)
+- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
+- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
+- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
+- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)
diff --git a/windows/configuration/shell-launcher/kiosk-mode.md b/windows/configuration/shell-launcher/kiosk-mode.md
new file mode 100644
index 0000000000..d5285fa51d
--- /dev/null
+++ b/windows/configuration/shell-launcher/kiosk-mode.md
@@ -0,0 +1,61 @@
+---
+title: Kiosk Mode
+ms.date: 01/18/2024
+ms.topic: overview
+description: Learn about Kiosk Mode in Windows IoT Enterprise.
+---
+
+# Kiosk mode
+
+Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md).
+
+Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
+
+> [!NOTE]
+>
+> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience.
+
+## Which type of app will your kiosk run?
+
+Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app).
+
+## Which type of kiosk do you need?
+
+If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic).
+
+For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop).
+
+## Which type of user account will be the kiosk account?
+
+The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+
+## Kiosk capabilities for Windows 10 IoT Enterprise
+
+| Mode | Features | Description | Customer Usage |
+|------|----------|------------ |-----------------|
+| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices
+| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs |
+| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles. Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices |
+| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience |
+
+## How to configure your device for kiosk mode?
+
+Visit the following documentation to set up a kiosk according to your scenario:
+
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
+* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
+
+## Additional Resources
+
+* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app)
+* [Validate your kiosk configuration](/windows/configuration/kiosk-validate)
+* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app)
+* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies)
+* [Assigned access XML reference](/windows/configuration/kiosk-xml)
+* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker)
+* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher)
+* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge)
+* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
+* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan)
diff --git a/windows/configuration/shell-launcher/multi-app-kiosk.md b/windows/configuration/shell-launcher/multi-app-kiosk.md
new file mode 100644
index 0000000000..b77d2fd604
--- /dev/null
+++ b/windows/configuration/shell-launcher/multi-app-kiosk.md
@@ -0,0 +1,39 @@
+---
+title: Multi-App Kiosk
+ms.date: 08/16/2023
+ms.topic: concept-article
+description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
+---
+
+# Assigned access multi-app kiosk
+
+An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
+
+> [!NOTE]
+> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return.
+>
+> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
+
+## Benefits of using a multi-app kiosk
+
+The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access.
+
+A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
+
+## Configuring your multi-app kiosk
+
+* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
+* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
+
+> [!NOTE]
+>
+> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device.
+
+## More Resources
+
+* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
+* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
+* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/shell-launcher/single-app-kiosk.md b/windows/configuration/shell-launcher/single-app-kiosk.md
new file mode 100644
index 0000000000..541fb49a2e
--- /dev/null
+++ b/windows/configuration/shell-launcher/single-app-kiosk.md
@@ -0,0 +1,38 @@
+---
+title: Assigned access Single-App Kiosk
+ms.date: 03/30/2023
+ms.topic: concept-article
+description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
+---
+
+# Assigned access single-app kiosk
+
+A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
+
+> [!NOTE]
+>
+> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+
+## Benefits of using a single-app kiosk
+
+A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
+
+## Configuring your single-app kiosks
+
+You have several options for configuring your single-app kiosk.
+
+* [Settings App](/windows/configuration/kiosk-single-app#local)
+* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
+* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
+* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
+
+> [!TIP]
+> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
+
+## Additional Resources
+
+* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
+* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
+* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
+* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
+* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)
diff --git a/windows/configuration/shell-launcher/toc.yml b/windows/configuration/shell-launcher/toc.yml
new file mode 100644
index 0000000000..07c18e4e82
--- /dev/null
+++ b/windows/configuration/shell-launcher/toc.yml
@@ -0,0 +1,25 @@
+
+items:
+- name: Shell Launcher
+ items:
+ - name: Overview
+ href: index.md
+ - name: WMI Provider Reference
+ items:
+ - name: Class WESL_UserSetting
+ href: wesl-usersetting.md
+ - name: GetCustomShell
+ href: wesl-usersettinggetcustomshell.md
+ - name: GetDefaultShell
+ href: wesl-usersettinggetdefaultshell.md
+ - name: IsEnabled
+ href: wesl-usersettingisenabled.md
+ - name: RemoveCustomShell
+ href: wesl-usersettingremovecustomshell.md
+ - name: SetCustomShell
+ href: wesl-usersettingsetcustomshell.md
+ - name: SetDefaultShell
+ href: wesl-usersettingsetdefaultshell.md
+ - name: SetEnabled
+ href: wesl-usersettingsetenabled.md
+
diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/shell-launcher/wedl-assignedaccess.md
new file mode 100644
index 0000000000..6203943578
--- /dev/null
+++ b/windows/configuration/shell-launcher/wedl-assignedaccess.md
@@ -0,0 +1,141 @@
+---
+title: WEDL\_AssignedAccess
+description: WEDL\_AssignedAccess
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WEDL\_AssignedAccess
+
+This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
+
+## Syntax
+
+```powershell
+class WEDL_AssignedAccess {
+ [Key] string UserSID;
+ [Read, Write] string AppUserModelId;
+ [Read] sint32 Status;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+This class contains no methods.
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. |
+| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. |
+| **Status** | Boolean | none | Indicates the current status of the assigned access configuration |
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. |
+| 1 | Assigned access is enabled. |
+| 0x100 | UserSID error: cannot find the account. |
+| 0x103 | UserSID error: the account profile does not exist. |
+| 0x200 | AppUserModelID error: cannot find the Windows app. |
+| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. |
+| 0xffffffff | Unspecified error.|
+
+### Remarks
+
+Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in.
+
+## Example
+
+The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account.
+
+```powershell
+#
+#---Define variables---
+#
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define the assigned access account.
+# To use a different account, change $AssignedAccessAccount to a user account that is present on your device.
+
+$AssignedAccessAccount = "KioskAccount"
+
+# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator.
+# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch.
+# The Windows app must be installed for the account.
+
+$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
+
+#
+#---Define helper functions---
+#
+
+function Get-UsernameSID($AccountName) {
+
+# This function retrieves the SID for a user account on a machine.
+# This function does not check to verify that the user account actually exists.
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+}
+
+#
+#---Set up the new assigned access account---
+#
+
+# Get the SID for the assigned access account.
+
+$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount)
+
+# Check to see if an assigned access account is already set up, and if so, clear it.
+
+$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
+
+if ($AssignedAccessConfig) {
+
+# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time.
+
+ $AssignedAccessConfig.delete();
+
+}
+
+# Configure assigned access to launch the specified Windows app for the specified account.
+
+Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{
+ UserSID = $AssignedAccessUserSID;
+ AppUserModelId = $AppAUMID
+ } | Out-Null;
+
+# Confirm that the settings were created properly.
+
+$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
+
+if ($AssignedAccessConfig) {
+
+ "Set up assigned access for the " + $AssignedAccessAccount + " account."
+ " UserSID = " + $AssignedAccessConfig.UserSid
+ " AppModelId = " + $AssignedAccessConfig.AppUserModelId
+
+} else {
+
+ "Could not set up assigned access account."
+}
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md
new file mode 100644
index 0000000000..3d7851941e
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersetting.md
@@ -0,0 +1,174 @@
+---
+title: WESL_UserSetting
+description: WESL_UserSetting
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# WESL_UserSetting
+
+This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits.
+
+## Syntax
+
+```powershell
+class WESL_UserSetting {
+ [read, write, Required] string Sid;
+ [read, write, Required] string Shell;
+ [read, write] Sint32 CustomReturnCodes[];
+ [read, write] Sint32 CustomReturnCodesAction[];
+ [read, write] sint32 DefaultAction;
+
+ [Static] uint32 SetCustomShell(
+ [In, Required] string Sid,
+ [In, Required] string Shell,
+ [In] sint32 CustomReturnCodes[],
+ [In] sint32 CustomReturnCodesAction[],
+ [In] sint32 DefaultAction
+ );
+ [Static] uint32 GetCustomShell(
+ [In, Required] string Sid,
+ [Out, Required] string Shell,
+ [Out, Required] sint32 CustomReturnCodes[],
+ [Out, Required] sint32 CustomReturnCodesAction[],
+ [Out, Required] sint32 DefaultAction
+ );
+ [Static] uint32 RemoveCustomShell(
+ [In, Required] string Sid
+ );
+ [Static] uint32 GetDefaultShell(
+ [Out, Required] string Shell,
+ [Out, Required] sint32 DefaultAction
+ );
+ [Static] uint32 SetDefaultShell(
+ [In, Required] string Shell,
+ [In, Required] sint32 DefaultAction
+ );
+ [Static] uint32 IsEnabled(
+ [Out, Required] boolean Enabled
+ );
+ [Static] uint32 SetEnabled(
+ [In, Required] boolean Enabled);
+ );
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|---------|-------------|
+| [WESL_UserSetting.SetCustomShell](wesl-usersettingsetcustomshell.md) | Configures Shell Launcher for a specific user or group, based on SID. |
+| [WESL_UserSetting.GetCustomShell](wesl-usersettinggetcustomshell.md) | Retrieves the Shell Launcher configuration for a specific user or group, based on the SID. |
+| [WESL_UserSetting.RemoveCustomShell](wesl-usersettingremovecustomshell.md) | Removes a Shell Launcher configuration for a specific user or group, based on the SID. |
+| [WESL_UserSetting.GetDefaultShell](wesl-usersettinggetdefaultshell.md) | Retrieves the default Shell Launcher configuration. |
+| [WESL_UserSetting.SetDefaultShell](wesl-usersettingsetdefaultshell.md) | Sets the default Shell Launcher configuration. |
+| [WESL_UserSetting.IsEnabled](wesl-usersettingisenabled.md) | Retrieves a value that indicates if Shell Launcher is enabled or disabled. |
+| [WESL_UserSetting.SetEnabled](wesl-usersettingsetenabled.md) | Enables or disables Shell Launcher. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Sid** | string | [read, write, required] | User or group SID. |
+| **shell** | string | [read, write, required] | The application to start as the shell.The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.Any spaces in the **shell** property must be part of a quote-delimited string. |
+| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. |
+| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.The possible actions are:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
+| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.The possible actions are defined as follows:0 - Restart the shell.1 - Restart the device.2 - Shut down the device.3 - Do nothing. |
+
+### Remarks
+
+Only one **WESL_UserSetting** instance exists on a device with Shell Launcher.
+
+Shell Launcher uses the custom configuration defined for the SID of the user currently signed in, if one exists. Otherwise, Shell Launcher uses a custom configuration defined for a group SID that the user is a member of, if any exist. If multiple group custom configurations for the user exist, Shell Launcher uses the first valid configuration it finds. The search order is not defined.
+
+If there is no custom configuration for the user's SID or any group SIDs that the user is a member of, Shell Launcher uses the default configuration.
+
+You can find the SID for a user and any groups that the user is a member of by using the [whoami](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771299(v=ws.10)) command-line tool.
+
+## Example
+
+The following Windows PowerShell script demonstrates how to add and remove custom shell configurations for Shell Launcher by using the Windows Management Instrumentation (WMI) providers for Shell Launcher.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+$do_nothing = 3
+
+# Examples
+
+# Set the command prompt as the default shell, and restart the device if it's closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if it's closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
new file mode 100644
index 0000000000..5633e7df6e
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md
@@ -0,0 +1,77 @@
+---
+title: WESL_UserSetting.GetCustomShell
+description: WESL_UserSetting.GetCustomShell
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.GetCustomShell
+
+This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
+
+## Syntax
+
+```powershell
+[Static] uint32 GetCustomShell (
+ [In, Required] string Sid,
+ [Out, Required] string Shell,
+ [Out, Required] sint32 CustomReturnCodes[],
+ [Out, Required] sint32 CustomReturnCodesAction[],
+ [Out, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+
+**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+
+**CustomReturnCodes**\[out, required\] An array of custom return codes returned by the shell application.
+
+**CustomReturnCodesAction**\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+**DefaultAction**\[out, required\] The default action that Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:------:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application.
+
+If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
new file mode 100644
index 0000000000..9cabb200ab
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md
@@ -0,0 +1,57 @@
+---
+title: WESL_UserSetting.GetDefaultShell
+description: WESL_UserSetting.GetDefaultShell
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.GetDefaultShell
+
+This method retrieves the default Shell Launcher configuration.
+
+## Syntax
+
+```powershell
+[Static] uint32 GetDefaultShell (
+ [Out, Required] string Shell,
+ [Out, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Shell**\[out, required\] The application or executable that Shell Launcher starts as the shell.
+
+**DefaultAction**\[out, required\] The default action Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
new file mode 100644
index 0000000000..fb4739ce37
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md
@@ -0,0 +1,41 @@
+---
+title: WESL_UserSetting.IsEnabled
+description: WESL_UserSetting.IsEnabled
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.IsEnabled
+
+This method retrieves a value that indicates if Shell Launcher is enabled or disabled.
+
+## Syntax
+
+```powershell
+[Static] uint32 IsEnabled(
+ [Out, Required] boolean Enabled
+);
+```
+
+## Parameters
+
+**Enabled**\[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
new file mode 100644
index 0000000000..fb1df0e87f
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md
@@ -0,0 +1,45 @@
+---
+title: WESL_UserSetting.RemoveCustomShell
+description: WESL_UserSetting.RemoveCustomShell
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.RemoveCustomShell
+
+This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
+
+## Syntax
+
+```powershell
+[Static] uint32 RemoveCustomShell (
+ [In, Required] string Sid
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must restart your device for the changes to take effect.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
new file mode 100644
index 0000000000..a90450063c
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md
@@ -0,0 +1,77 @@
+---
+title: WESL_UserSetting.SetCustomShell
+description: WESL_UserSetting.SetCustomShell
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetCustomShell
+
+This method configures Shell Launcher for a specific user or group, based on the security identifier (SID).
+
+## Syntax
+
+```powershell
+[Static] uint32 SetCustomShell (
+ [In, Required] string Sid,
+ [In, Required] string Shell,
+ [In] sint32 CustomReturnCodes[],
+ [In] sint32 CustomReturnCodesAction[],
+ [In] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Sid**\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
+
+**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+
+**CustomReturnCodes**\[in\] An array of custom return codes that can be returned by the shell application.
+
+**CustomReturnCodesAction**\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+**DefaultAction**\[In\] The default action that Shell Launcher takes when the shell application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-----:|-------------|
+| 0 | Restart the shell.|
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application.
+
+If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
new file mode 100644
index 0000000000..ec89600f38
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md
@@ -0,0 +1,57 @@
+---
+title: WESL_UserSetting.SetDefaultShell
+description: WESL_UserSetting.SetDefaultShell
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetDefaultShell
+
+This method sets the default Shell Launcher configuration.
+
+## Syntax
+
+```powershell
+[Static] uint32 SetDefaultShell (
+ [In, Required] string Shell,
+ [In, Required] sint32 DefaultAction
+);
+```
+
+## Parameters
+
+**Shell**\[in, required\] The application or executable that Shell Launcher starts as the shell.
+
+**DefaultAction**\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
+
+The possible actions are defined in the following table:
+
+| Value | Description |
+|:-------:|-------------|
+| 0 | Restart the shell. |
+| 1 | Restart the device. |
+| 2 | Shut down the device. |
+| 3 | Do nothing. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
new file mode 100644
index 0000000000..43aff8b5a7
--- /dev/null
+++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md
@@ -0,0 +1,47 @@
+---
+title: WESL_UserSetting.SetEnabled
+description: WESL_UserSetting.SetEnabled
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# WESL_UserSetting.SetEnabled
+
+This method enables or disables Shell Launcher.
+
+## Syntax
+
+```powershell
+[Static] uint32 SetEnabled(
+ [In, Required] boolean Enabled
+);
+```
+
+## Parameters
+
+**Enabled**\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher.
+
+Enabling or disabling Shell Launcher does not take effect until a user signs in.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related topics
+
+- [WESL_UserSetting](wesl-usersetting.md)
+- [Shell Launcher](index.md)
diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md
index 0627e33663..2294ebe5cc 100644
--- a/windows/configuration/start/index.md
+++ b/windows/configuration/start/index.md
@@ -1,8 +1,8 @@
---
-title: Configure the Start menu
+title: Configure The Windows Start Menu With Policy Settings
description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most.
ms.topic: overview
-ms.date: 04/10/2024
+ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
ms.collection:
- essentials-manage
diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md
index 81f5d11c75..af0a608300 100644
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@@ -1,8 +1,8 @@
---
-title: Customize the Start layout
+title: Customize The Start Layout For Managed Windows Devices
description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
appliesto:
---
diff --git a/windows/configuration/start/xsd.md b/windows/configuration/start/xsd.md
index 714f0aa70f..ba0f818bc7 100644
--- a/windows/configuration/start/xsd.md
+++ b/windows/configuration/start/xsd.md
@@ -2,7 +2,7 @@
title: Start XML Schema Definition (XSD)
description: Start XSD reference article.
ms.topic: reference
-ms.date: 04/10/2024
+ms.date: 12/02/2024
appliesto:
- ✅ Windows 10
---
diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md
index 09c92aea0f..b6b7609319 100644
--- a/windows/configuration/store/index.md
+++ b/windows/configuration/store/index.md
@@ -1,8 +1,8 @@
---
-title: Configure access to the Microsoft Store app
+title: Configure Access To The Microsoft Store App For Windows Devices
description: Learn how to configure access to the Microsoft Store app.
ms.topic: how-to
-ms.date: 03/13/2024
+ms.date: 12/02/2024
---
# Configure access to the Microsoft Store app
diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md
index 351c262871..da97f38e11 100644
--- a/windows/configuration/taskbar/xsd.md
+++ b/windows/configuration/taskbar/xsd.md
@@ -2,7 +2,7 @@
title: Windows Taskbar XML Schema Definition (XSD)
description: Reference article about the Taskbar XML schema definition (XSD).
ms.topic: reference
-ms.date: 11/07/2024
+ms.date: 11/11/2024
---
# Taskbar XML Schema Definition (XSD)
diff --git a/windows/configuration/unbranded-boot/images/boot.jpg b/windows/configuration/unbranded-boot/images/boot.jpg
new file mode 100644
index 0000000000..bc46adb1cf
Binary files /dev/null and b/windows/configuration/unbranded-boot/images/boot.jpg differ
diff --git a/windows/configuration/unbranded-boot/index.md b/windows/configuration/unbranded-boot/index.md
new file mode 100644
index 0000000000..e3aa95b244
--- /dev/null
+++ b/windows/configuration/unbranded-boot/index.md
@@ -0,0 +1,160 @@
+---
+title: Unbranded Boot
+description: Unbranded Boot
+ms.date: 09/10/2024
+ms.topic: overview
+---
+
+# Unbranded Boot
+
+You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot.
+
+> [!IMPORTANT]
+> The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.
+
+## Requirements
+
+Unbranded Boot can be enabled on:
+
+- Windows 10 Enterprise
+- Windows 10 IoT Enterprise
+- Windows 10 Education
+- Windows 11 Enterprise
+- Windows 11 IoT Enterprise
+- Windows 11 Education
+
+## Terminology
+
+- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line.
+
+- **Configure:** To customize the setting or subsettings.
+
+- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511.
+
+- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
+
+## Turn on Unbranded Boot settings
+
+Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
+
+If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
+
+BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
+
+### Turn on Unbranded Boot by using Control Panel
+
+1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
+1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
+1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+1. Restart your device to apply the changes.
+
+## Configure Unbranded Boot settings at runtime using BCDEdit
+
+1. Open a command prompt as an administrator.
+1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
+
+ ```cmd
+ bcdedit.exe -set {globalsettings} advancedoptions false
+ ```
+
+1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu.
+
+ ```cmd
+ bcdedit.exe -set {globalsettings} optionsedit false
+ ```
+
+1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup.
+
+ ```cmd
+ bcdedit.exe -set {globalsettings} bootuxdisabled on
+ ```
+
+1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen.
+
+ ```cmd
+ bcdedit.exe -set {bootmgr} noerrordisplay on
+ ```
+
+## Configure Unbranded Boot using Unattend
+
+You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp.
+
+### Unbranded Boot settings
+
+The following table shows Unbranded Boot settings and their values.
+
+| Setting | Description | Value |
+|---------|-------------|-------|
+| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. |
+| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. |
+| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. |
+| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. |
+| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. |
+| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. |
+
+## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM)
+
+You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup.
+
+1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
+
+1. In the Available customizations page, select **Runtime settings** > **SMISettings** and then set the value for the boot screen settings. The following values are just examples.
+
+ - **HideAllBootUI**=FALSE
+ - **HideBootLogo**=FALSE
+ - **HideBootStatusIndicator**=TRUE
+ - **HideBootStatusMessage**=TRUE
+ - **CrashDumpEnabled**=Full dump
+
+ > [!TIP]
+ > For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
+
+1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings.
+ 1. Open a command prompt with administrator privileges.
+ 1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
+ 1. Create a new directory.
+
+ ```cmd
+ md c:\wim
+ ```
+
+ 1. Mount the image.
+
+ ```cmd
+ dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+ ```
+
+ 1. Enable the feature.
+
+ ```cmd
+ dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
+ ```
+
+ 1. Commit the change.
+
+ ```cmd
+ dism /unmount-wim /MountDir:c:\wim /Commit
+ ```
+
+In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
+
+
+
+## Replace the startup logo
+
+The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
+
+## Suppress Errors During Boot
+
+Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
+
+1. Open a command prompt as an administrator.
+1. Run the following command to suppress error screens during boot.
+
+ ```cmd
+ bcdedit.exe -set {bootmgr} noerrordisplay on
+ ```
+
+## Related articles
+
+- [Custom Logon](../custom-logon/index.md)
diff --git a/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md b/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md
new file mode 100644
index 0000000000..f58729857a
--- /dev/null
+++ b/windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md
@@ -0,0 +1,165 @@
+---
+title: Hibernate Once/Resume Many (HORM)
+description: Hibernate Once/Resume Many (HORM)
+ms.date: 04/12/2018
+ms.topic: concept-article
+---
+
+# Hibernate Once/Resume Many (HORM)
+
+You can use the Hibernate Once/Resume Many (HORM) feature with Unified Write Filter (UWF) to start your device in a preconfigured state. When HORM is enabled, your system always resumes and restarts from the last saved hibernation file (hiberfil.sys).
+
+A device with HORM enabled can quickly be turned off or shut down, and then restarted into the preconfigured state, even if a sudden power loss.
+
+> [!NOTE]
+> HORM can be used on Unified Extensible Firmware Interface (UEFI) devices running Windows 10, version 1709, or newer versions of Windows, only. In previous Windows versions, the installation procedure for UEFI creates a hidden system partition. Because UWF can't protect hidden partitions, HORM can't be used on any devices that contain a hidden partition, including UEFI-capable devices on older versions of Windows.
+
+## Requirements
+
+Windows 10 Enterprise, Windows 10 Education, or Windows IoT Core (IoT Core). Supported on x86-based and x64-based devices.
+
+On Windows 10, version 21H2 or newer versions of Windows, Read-Only Media mode must be implemented to enable HORM.
+
+## UWF configuration
+
+UWF must be enabled before you can enable or disable HORM. UWF must be configured in the following ways to protect the hibernation file from becoming invalid:
+
+- All fixed volumes that are mounted on the system are protected by UWF.
+- Your system must not have any file, folder, or registry exclusions configured for UWF.
+- The UWF overlay must be configured to use RAM mode. HORM doesn't support disk-backed overlays.
+
+UWF doesn't filter hibernation files from being written to disk. If you want to protect the preconfigured state of your device, lock down any functionality that can modify the hibernation file. For example, disable hibernation, hybrid sleep, and fast startup for standard user accounts to prevent the saved hibernation file from being overwritten when entering sleep, hibernate, or shutdown state.
+
+To disable hybrid sleep and fast startup on your device, follow these steps.
+
+### How to disable hybrid sleep
+
+1. Open the Local Group Policy Editor (gpedit.msc) and navigate to the following path.
+ Computer Configuration\Administrative Templates\System\Power Management\Sleep settings
+
+1. Enable the following two settings under the path:
+
+ Turn off hybrid sleep (plugged in)
+ Turn off hybrid sleep (on battery)
+
+### How to disable fast startup
+
+To disable fast startup, set the following registry value:
+
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
+
+Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power
+Name: HiberbootEnabled
+Type: DWORD
+Value: 0 (0 = Disabled、1 = Enabled)
+
+### How to prevent Windows from entering hibernation due to the system idle time-out or user operations
+
+Configure the following two policies in Local Group Policy Editor (gpedit.msc):
+
+Policy to prevent Windows from entering hibernation by the system idle time:
+
+1. Under the following path:
+ Computer Configuration\Administrative Templates\System\Power Management\Sleep settings
+
+1. Enable these two settings and set the value to 0.
+
+ Specify the system hibernate timeout (plugged in)
+ Specify the system hibernate timeout (on battery)
+
+Disable the policy to show "Hibernation" in the power options menu:
+
+1. Under the following path:
+ Computer Configuration\Windows Components\File Explorer
+
+1. Disable the following setting:
+ Show hibernate in the power options menu
+
+> [!NOTE]
+>
+> - Don't disable hibernate (i.e. powercfg /h off) because it deletes the hiberfil.sys which HORM requires.
+> - Even after you set all these settings, the timestamp of hiberfil.sys is updated after the system reboot. This is because UWF can't filter the hiberfil.sys file, and the file needs to be compressed and decompressed during the system reboot. However, this doesn't change the content of hiberfil.sys so the preconfigured state of the device is protected.
+
+## Configure HORM
+
+1. On the device, open a command prompt as an administrator.
+1. To enable hibernation on the device, type the following command:
+
+ `powercfg /h on`
+
+1. To enable UWF on your device, type the following command:
+
+ `uwfmgr.exe filter enable`
+
+1. To protect all volumes on your device, type the following command:
+
+ `uwfmgr.exe volume protect all`
+
+ > [!Note]
+ > DVD RW and floppy drives throw an expected error that can be safely ignored.
+
+1. To restart your device to enable UWF, type the following command:
+
+ `uwfmgr.exe filter restart`
+
+1. After the device restarts, to verify the UWF changes that you made on your device, type the following command:
+
+ `uwfmgr.exe get-config`
+
+1. To enable HORM on your device, type the following command:
+
+ `uwfmgr.exe filter enable-horm`
+
+ > [!Note]
+ > Remove all file and registry exclusions before you enable HORM.
+
+1. (Optional) In Control Panel, set the Power Option **When I press the power button** to avoid displaying the command prompt when resuming from hibernation, or use a script to close the command prompt on startup.
+1. To hibernate the system one time to create an initial hibernation file, at the command prompt, type the following command:
+
+ `shutdown /h`
+
+1. Press the power button to wake the system from hibernation.
+1. After the system starts from hibernation to create an initial hibernation file, to shut down and restart the system, type the following command:
+
+ `uwfmgr.exe restart`
+
+1. When HORM is enabled, you can't change the UWF configuration. To make changes, you must first disable HORM. To disable HORM, type the following command:
+
+ `uwfmgr.exe filter disable-horm`
+
+1. To restart the system to finish disabling HORM, type the following command:
+
+ `uwfmgr.exe restart`
+
+ The system restarts normally with HORM disabled.
+
+> [!WARNING]
+> Don't uninstall UWF when the filter is enabled or when HORM is enabled, either online or offline by using Windows PE.
+
+## Fix an issue when you can't disable HORM
+
+In rare circumstances, your device can enter a state where you can't disable HORM normally.
+
+If you can't disable HORM on your device, use following procedure to resolve this issue:
+
+1. Start your device in Windows PE.
+1. Type the following command:
+
+ `bcdedit.exe /set {bootmgr} custom:26000024 0`
+
+1. Restart the device:
+
+ `shutdown /r/t 0`
+
+1. Disable HORM:
+
+ `uwfmgr.exe filter disable-horm`
+
+1. Enable HORM:
+
+ `uwfmgr.exe filter enable-horm`
+
+1. Hibernate the device:
+
+ `shutdown /h`
diff --git a/windows/configuration/unified-write-filter/images/administratorcommandprompt.png b/windows/configuration/unified-write-filter/images/administratorcommandprompt.png
new file mode 100644
index 0000000000..3e16f5dc74
Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorcommandprompt.png differ
diff --git a/windows/configuration/unified-write-filter/images/administratorcompactprompt.png b/windows/configuration/unified-write-filter/images/administratorcompactprompt.png
new file mode 100644
index 0000000000..6e2d631dd9
Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorcompactprompt.png differ
diff --git a/windows/configuration/unified-write-filter/images/administratorprompt.png b/windows/configuration/unified-write-filter/images/administratorprompt.png
new file mode 100644
index 0000000000..e58c02c595
Binary files /dev/null and b/windows/configuration/unified-write-filter/images/administratorprompt.png differ
diff --git a/windows/configuration/unified-write-filter/images/fullvolumecommit.png b/windows/configuration/unified-write-filter/images/fullvolumecommit.png
new file mode 100644
index 0000000000..8b1c889cd1
Binary files /dev/null and b/windows/configuration/unified-write-filter/images/fullvolumecommit.png differ
diff --git a/windows/configuration/unified-write-filter/images/overlaysettings.png b/windows/configuration/unified-write-filter/images/overlaysettings.png
new file mode 100644
index 0000000000..d82148918a
Binary files /dev/null and b/windows/configuration/unified-write-filter/images/overlaysettings.png differ
diff --git a/windows/configuration/unified-write-filter/index.md b/windows/configuration/unified-write-filter/index.md
new file mode 100644
index 0000000000..86456e0582
--- /dev/null
+++ b/windows/configuration/unified-write-filter/index.md
@@ -0,0 +1,124 @@
+---
+title: Unified Write Filter (UWF) feature (unified-write-filter)
+description: Unified Write Filter (UWF) feature (unified-write-filter)
+ms.date: 10/02/2018
+ms.topic: overview
+---
+
+# Unified Write Filter (UWF) feature
+
+Unified Write Filter (UWF) is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is cleared during a reboot or when a guest user logs off.
+
+## Benefits
+
+- Provides a clean experience for thin clients and workspaces that have frequent guests, like school, library or hotel computers. Guests can work, change settings, and install software. After the device reboots, the next guest receives a clean experience.
+
+- Increases security and reliability where new apps aren't frequently added.
+
+- Can be used to reduce wear on solid-state drives and other write-sensitive media.
+
+- Optimizing Application load timing on boot – it can be faster to resume from a HORM file on every boot rather than reloading the system on each boot
+
+UWF replaces the Windows 7 Enhanced Write Filter (EWF) and the File Based Write Filter (FBWF).
+
+## Features
+
+- UWF can protect most supported writable storage types, including physical hard disks, solid-state drives, internal USB devices, and external SATA devices. You can't use UWF to protect external removable drives, USB devices or flash drives. Supports both master boot record (MBR) and GUID partition table (GPT) volumes.
+
+- You can use UWF to make read-only media appear to the OS as a writable volume.
+
+- You can manage UWF directly on a Windows 10 device using [uwfmgr.exe](uwfmgrexe.md), or remotely using MDM tools with the [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) or the [UWF WMI](uwf-wmi-provider-reference.md).
+
+- You can [update and service UWF-protected devices](service-uwf-protected-devices.md) by using UWF servicing mode or adding file and registry exclusions to specific system areas.
+
+- On Windows 10, version 1803, you can use a [persistent overlay](uwfoverlay.md#persistent-overlay) to allow data saved in the virtual overlay to remain even after a reboot.
+
+- On devices with a disk overlay, you can use [free space passthrough)](uwfoverlay.md#freespace-passthrough-recommended) to access your drive's free space.
+
+- UWF supports paging to increase virtual memory, if the page file exists on an unprotected volume. When paging is used together with a RAM-based overlay, the uptime of the system can be increased.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Limitations
+
+- File systems:
+ - FAT: fully supported.
+ - NTFS: fully supported. However, during device startup, NTFS file system journal files can write to a protected volume before UWF has started protecting the volume.
+ - Other file systems (example: exFAT): You can protect the volume, but can't create file exclusions or do file commit operations on the volume. Writes to excluded files still influence the growth of the Overlay.
+
+- The overlay doesn't mirror the entire volume, but dynamically grows to keep track of redirected writes.
+
+- UWF supports up to 16 terabytes of protected volumes.
+
+- UWF doesn't support the use of fast startup when shutting down your device. If fast startup is turned on, shutting down the device doesn't clear the overlay. You can disable fast startup in Control Panel by navigating to **Control Panel** > **All Control Panel Items** > **Power Options** > **System Settings** and clearing the checkbox next to **Turn on fast startup (recommended)**.
+
+- UWF doesn't support [Storage Spaces](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831739(v=ws.11)).
+
+- On a computer on which [UWF is enabled and used to protect drive C](./uwf-turnonuwf.md#turn-on-uwf-on-a-running-pc), you can't permanently set the date and time to a past time. If you make such a change, the original date and time settings will be restored after the computer restarts.
+
+ To work around this issue, you must disable UWF before you change the date and time with th the following command.
+
+ ```cmd
+ uwfmgr.exe filter disable
+ ```
+
+ > [!NOTE]
+ > Do not add the file that retains date and time settings ("%windir%\bootstat.dat") to the [write filter exclusions](./uwfexclusions.md) to work around this issue. Doing this causes Stop error 0x7E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) to occur.
+
+## Turn on and configure UWF
+
+UWF is an optional component and isn't enabled by default in Windows 10. You must [turn on UWF](uwf-turnonuwf.md) before you can configure it.
+
+## UWF overlay
+
+You can choose the type of overlay, reserved space and persistence after a reboot.
+
+To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device.
+
+To learn more, see [UWF Overlay location and size](uwfoverlay.md).
+
+## Volumes
+
+A volume is a logical unit that represents an area of persistent storage to the file system that is used by the OS such as:
+
+- A single physical storage device, such as a hard disk
+- A single partition on a physical storage device with multiple partitions
+- Span across multiple physical storage devices
+
+For example, a collection of hard disks in a RAID array can be represented as a single volume to the OS.
+
+When you configure UWF to protect a volume, you can specify the volume by using either a drive letter or the volume device identifier. To determine the device identifier for a volume, query the **DeviceID** property in the **Win32_Volume** WMI class.
+
+If you specify a volume using a drive letter, UWF uses *loose binding* to recognize the volume. With *loose binding*, drive letters are assigned dynamically as the volume configuration changes.
+
+If you specify a volume using the volume device identifier, UWF uses *tight binding* to recognize the volume. With *tight binding*, the device identifier is unique to the storage volume and is independent from the drive letter assigned to the volume by the file system.
+
+## Exclusions
+
+You can add specific files, folders, and registry keys to the [write filter exclusion](uwfexclusions.md) list to prevent them from being filtered.
+
+## UWF servicing mode
+
+When a device is protected with UWF, you must use UWF servicing mode commands to service the device and apply updates to an image. You can use UWF servicing mode to apply Windows updates, antimalware signature file updates, and custom software or third-party software updates.
+
+For more information about how to use UWF servicing mode to apply software updates to your device, see [Service UWF-protected devices](service-uwf-protected-devices.md).
+
+## Troubleshooting UWF
+
+UWF uses Windows Event Log to log events, errors and messages related to overlay consumption, configuration changes, and servicing.
+
+For more information about how to find event log information for troubleshooting problems with Unified Write Filter (UWF), see [Troubleshooting Unified Write Filter (UWF)](uwftroubleshooting.md).
+
+## Related articles
+
+- [Unbranded Boot](../unbranded-boot/index.md)
+- [Custom Logon](../custom-logon/index.md)
+- [Shell Launcher](../shell-launcher/index.md)
diff --git a/windows/configuration/unified-write-filter/service-uwf-protected-devices.md b/windows/configuration/unified-write-filter/service-uwf-protected-devices.md
new file mode 100644
index 0000000000..0891306f21
--- /dev/null
+++ b/windows/configuration/unified-write-filter/service-uwf-protected-devices.md
@@ -0,0 +1,35 @@
+---
+title: Service UWF-protected devices
+description: Service UWF-protected devices
+ms.date: 10/02/2018
+ms.topic: reference
+---
+
+# Service UWF-protected devices
+
+To update your devices, use UWF servicing mode. UWF servicing mode allows you to apply Windows updates, anti-malware signature file updates, and custom software or third-party software updates.
+
+Normally, when the Unified Write Filter (UWF) is active, system updates are disabled, as they would be erased when the overlay is cleared.
+
+When UWF servicing mode is triggered, Windows does the following:
+
+1. Clears the UWF overlay
+1. Reboots the devices
+1. Triggers a system maintenance hour
+1. Disables the UWF filter
+1. Scans for and applies Windows updates
+1. Scans for and applies app updates from the Microsoft store
+1. After servicing is complete, it re-enables the UWF filter and resumes UWF protection
+
+>[!NOTE]
+> Servicing mode requires that all user accounts on the system have a password. If there's a user account that doesn't include a password, UWF servicing fails.
+
+## In this section
+
+| Article | Description |
+|:------------------------------------------|:-----------------------------------------------------------------------------------|
+| [Anti-malware support on UWF-protected devices](uwf-antimalware-support.md) |Describes the procedures to add support for Microsoft Defender and System Center Endpoint Protection (SCEP/Forefront) anti-malware to your UWF-protected devices. |
+| [Apply OEM updates to UWF-protected devices](uwf-apply-windows-updates.md) |Provides information about how to apply OEM updates to a UWF-protected device. |
+| [Apply Windows updates to UWF-protected devices](uwf-apply-windows-updates.md) | Describes the procedures to apply Windows updates to your UWF-protected devices. |
+| [UWF master servicing script](uwf-master-servicing-script.md) | Provides information about the UWF master servicing script (UwfServicingMasterScript.cmd). |
+| [UWF servicing screen saver](uwf-servicing-screen-saver.md) | Provides information about how to modify the default UWF servicing screen saver. |
diff --git a/windows/configuration/unified-write-filter/toc.yml b/windows/configuration/unified-write-filter/toc.yml
new file mode 100644
index 0000000000..d8105e71ec
--- /dev/null
+++ b/windows/configuration/unified-write-filter/toc.yml
@@ -0,0 +1,126 @@
+
+items:
+- name: Unified Write Filter
+ items:
+ - name: Overview
+ href: index.md
+ - name: Hibernate Once/Resume Many (HORM)
+ href: hibernate-once-resume-many-horm.md
+ - name: Exclusions
+ href: uwfexclusions.md
+ - name: Overlay
+ href: uwfoverlay.md
+ - name: Enable
+ href: uwf-turnonuwf.md
+ - name: Command Line Utility (uwfmgr.exe)
+ href: uwfmgrexe.md
+ - name: Servicing
+ items:
+ - name: Servicing protected devices
+ href: service-uwf-protected-devices.md
+ - name: Antimalware support
+ href: uwf-antimalware-support.md
+ - name: Windows Updates
+ href: uwf-apply-windows-updates.md
+ - name: OEM Updates
+ href: uwf-apply-oem-updates.md
+ - name: Servicing master script
+ href: uwf-master-servicing-script.md
+ - name: Servicing screen saver
+ href: uwf-servicing-screen-saver.md
+ - name: Troubleshooting
+ href: uwftroubleshooting.md
+ - name: WMI Provider Reference
+ items:
+ - name: Overview
+ href: uwf-wmi-provider-reference.md
+ - name: Class UWF_ExcludedFile
+ href: uwf-excludedfile.md
+ - name: Class UWF_ExcludedRegistryKey
+ href: uwf-excludedregistrykey.md
+ - name: Class UWF_Filter
+ items:
+ - name: Overview
+ href: uwf-filter.md
+ - name: Disable
+ href: uwf-filterdisable.md
+ - name: Enable
+ href: uwf-filterdisable.md
+ - name: ResetSettings
+ href: uwf-filterresetsettings.md
+ - name: RestartSystem
+ href: uwf-filterrestartsystem.md
+ - name: ShutdownSystem
+ href: uwf-filtershutdownsystem.md
+ - name: Class UWF_Overlay
+ items:
+ - name: Overview
+ href: uwf-overlay.md
+ - name: GetOverlayFiles
+ href: uwf-overlaygetoverlayfiles.md
+ - name: OverlayFile
+ href: uwf-overlayfile.md
+ - name: SetCriticalThreshold
+ href: uwf-overlaysetcriticalthreshold.md
+ - name: SetWarningThreshold
+ href: uwf-overlaysetwarningthreshold.md
+ - name: Class UWF_OverlayConfig
+ items:
+ - name: Overview
+ href: uwf-overlayconfig.md
+ - name: SetMaximumSize
+ href: uwf-overlayconfigsetmaximumsize.md
+ - name: SetType
+ href: uwf-overlayconfigsettype.md
+ - name: Class UWF_RegistryFilter
+ items:
+ - name: Overview
+ href: uwf-registryfilter.md
+ - name: AddExclusion
+ href: uwf-registryfilteraddexclusion.md
+ - name: CommitRegistry
+ href: uwf-registryfiltercommitregistry.md
+ - name: CommitRegistryDeletion
+ href: uwf-registryfiltercommitregistrydeletion.md
+ - name: FindExclusion
+ href: uwf-registryfilterfindexclusion.md
+ - name: GetExclusions
+ href: uwf-registryfiltergetexclusions.md
+ - name: RemoveExclusion
+ href: uwf-registryfilterremoveexclusion.md
+ - name: Class UWF_Servicing
+ items:
+ - name: Overview
+ href: uwf-servicing.md
+ - name: Disable
+ href: uwf-servicingdisable.md
+ - name: Enable
+ href: uwf-servicingenable.md
+ - name: UpdateWindows
+ href: uwf-servicingupdatewindows.md
+ - name: Class UWF_Volume
+ items:
+ - name: Overview
+ href: uwf-volume.md
+ - name: AddExclusion
+ href: uwf-volumeaddexclusion.md
+ - name: CommitFile
+ href: uwf-volumecommitfile.md
+ - name: CommitFileDeletion
+ href: uwf-volumecommitfiledeletion.md
+ - name: FindExclusion
+ href: uwf-volumefindexclusion.md
+ - name: GetExclusions
+ href: uwf-volumegetexclusions.md
+ - name: protect
+ href: uwf-volumeprotect.md
+ - name: RemoveAllExclusions
+ href: uwf-volumeremoveallexclusions.md
+ - name: RemoveExclusion
+ href: uwf-volumeremoveexclusion.md
+ - name: SetBindByDriveLetter
+ href: uwf-volumesetbindbydriveletter.md
+ - name: Unprotect
+ href: uwf-volumeunprotect.md
+ - name: Migration from Enhanced Write Filter
+ href: uwf-wes7-ewf-to-win10-uwf.md
\ No newline at end of file
diff --git a/windows/configuration/unified-write-filter/uwf-antimalware-support.md b/windows/configuration/unified-write-filter/uwf-antimalware-support.md
new file mode 100644
index 0000000000..9dfd69b37d
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-antimalware-support.md
@@ -0,0 +1,73 @@
+---
+title: Antimalware support on UWF-protected devices
+description: Antimalware support on UWF-protected devices
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# Antimalware support on UWF-protected devices
+
+Learn how to enable antimalware support on your USB Filter-enabled Windows 10 Enterprise device.
+
+When using antimalware software on your Unified Write Filter (UWF)-protected device, you must add the required file and registry exclusions that enable the software to apply updates to signature files and persist changes to the device after a system restart.
+
+## Add support for Microsoft Defender on UWF-protected devices
+
+Add these exclusions to UWF:
+
+1. File exclusions
+
+ ```text
+ C:\Program Files\Windows Defender
+ C:\ProgramData\Microsoft\Windows Defender
+ C:\Windows\WindowsUpdate.log
+ C:\Windows\Temp\MpCmdRun.log
+ ```
+
+1. Registry exclusions
+
+ ```reg
+ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
+ ```
+
+ > [!NOTE]
+ > If a Windows IoT Enterprise computer stops responding during Windows startup, see [Windows doesn't start after you exclude UWF from Microsoft Defender](/troubleshoot/windows-client/performance/windows-hangs-on-startup-after-excluding-uwf-from-microsoft-defender) for a workaround. This issue impacts:
+ >
+ > - Windows 10 IoT Enterprise, version 21H1
+ > - Windows 10 IoT Enterprise, version 21H2
+ > - Windows 10 IoT Enterprise, version 22H1
+ > - Windows 10 IoT Enterprise LTSC 2016
+ > - Windows 10 IoT Enterprise LTSC 2019
+ > - Windows 10 IoT Enterprise LTSC 2021
+ > - Windows 11 IoT Enterprise
+
+## Add support for System Center Endpoint Protection on UWF-protected devices
+
+Add these exclusions to UWF:
+
+1. File exclusions
+
+ ```txt
+ C:\Program Files\Microsoft Security Client
+ C:\Windows\Windowsupdate.log
+ C:\Windows\Temp\Mpcmdrun.log
+ C:\ProgramData\Microsoft\Microsoft Antimalware
+ ```
+
+1. Registry exclusions
+
+ ```reg
+ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
+ ```
+
+> [!NOTE]
+> Windows 10 Enterprise doesn't include System Center Endpoint Protection. You can purchase licenses and install System Center Endpoint Protection independently.
+
+## Related articles
+
+- [Service UWF-protected devices](service-uwf-protected-devices.md)
diff --git a/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md b/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md
new file mode 100644
index 0000000000..cb9ea97d95
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-apply-oem-updates.md
@@ -0,0 +1,42 @@
+---
+title: Apply OEM updates to UWF-protected devices
+description: Apply OEM updates to UWF-protected devices
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# Apply OEM updates to UWF-protected devices
+
+To apply OEM updates on a Unified Write Filter (UWF)-protected Windows 10 device, you can modify the UPDATE\_SUCCESS block of UWF master servicing script (UwfServicingMasterScript.cmd) to call a custom OEM script that applies any required OEM updates. The OEM script should return control back to the UWF Master Servicing Script when finished.
+
+The UWF Master Servicing Script (UwfServicingMasterScript.cmd) is located in the \Windows\System32 folder.
+
+## UPDATE_SUCCESS (UwfServicingMasterScript.cmd)
+
+The UPDATE_SUCCESS block of the UWF master servicing script follows:
+
+```powershell
+:UPDATE_SUCCESS
+echo UpdateAgent returned success.
+REM
+REM echo UpdateAgent executing OEM script
+REM OEM can call their custom scripts
+REM at this point through a "call".
+REM
+REM The OEM script should hand control
+REM back to this script once complete.
+REM
+REM Any error recovery for OEM script
+REM should be handled outside of this script
+REM post a reboot.
+REM
+uwfmgr servicing disable
+echo Restarting system
+goto UPDATE_EXIT
+```
+
+## Related articles
+
+- [Service UWF-protected devices](service-uwf-protected-devices.md)
+- [UWF master servicing script](uwf-master-servicing-script.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md b/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md
new file mode 100644
index 0000000000..02d0791dc8
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-apply-windows-updates.md
@@ -0,0 +1,69 @@
+---
+title: Apply Windows updates to UWF-protected devices
+description: Apply Windows updates to UWF-protected devices
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# Apply Windows updates to UWF-protected devices
+
+When a device is protected with Unified Write Filter (UWF), you must use UWF servicing mode commands to service the device and apply updates to an image.
+
+UWF servicing mode uses the following files to when it applies Windows updates to your device:
+
+- UWFMgr.exe command-line tool
+- UwfServicingScr.scr screen saver
+- UwfServicingMasterScript.cmd script
+
+> [!NOTE]
+> The master servicing script can be modified to service third-party applications, service custom OEM applications, or call custom OEM servicing scripts.
+
+UWF servicing supports the following types of Windows updates:
+
+- Critical updates
+- Security updates
+- Driver updates
+
+## Enable Servicing Mode
+
+1. To apply Windows updates to your device, at an administrator command prompt, type the following command:
+
+ ```cmd
+ uwfmgr.exe servicing enable
+ ```
+
+1. Restart the device. Use either command.
+
+ ```cmd
+ uwfmgr.exe filter restart
+ ```
+
+ ```cmd
+ shutdown /r /t 0
+ ```
+
+On restart, the device automatically signs in to the servicing account and servicing starts.
+
+> [!IMPORTANT]
+> The default servicing account that is automatically created and used for servicing is named **UWF-Servicing**. It's important that you don't have a user account that has that same name on a device before starting UWF servicing.
+
+Once servicing has started, no user interaction is required. The system may restart if it's required by the Windows updates that are installing. If a restart is required, the system reenters servicing mode on restart and continues until all updates are installed.
+
+While servicing is underway, the UwfServicingScr.scr screen saver displays on the device.
+
+> [!NOTE]
+> The UwfServicingScr.scr screen saver that is included with Windows 10 Enterprise is a standard Windows screen saver and can be replaced by a custom OEM screen saver if necessary.
+
+When Windows update servicing is finished, the system disables UWF servicing and restarts the system with UWF-protection enabled and all file and registry exclusions restored to their original pre-servicing state.
+
+> [!NOTE]
+> During UWF servicing in Windows 10 Enterprise, Windows Update automatically accepts all Microsoft Software License Terms.
+
+> [!NOTE]
+> If Windows updates can't be installed or return an error, servicing is disabled and the system restarts with UWF-protection re-enabled and all file and registry exclusions restored to their original pre-servicing state.
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
+- [UWF master servicing script](uwf-master-servicing-script.md)
+- [UWF servicing screen saver](uwf-servicing-screen-saver.md)
diff --git a/windows/configuration/unified-write-filter/uwf-excludedfile.md b/windows/configuration/unified-write-filter/uwf-excludedfile.md
new file mode 100644
index 0000000000..4ede7c857b
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-excludedfile.md
@@ -0,0 +1,51 @@
+---
+title: UWF_ExcludedFile
+description: UWF_ExcludedFile
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_ExcludedFile
+
+Contains the files and folders that are currently in the file exclusion list for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+class UWF_ExcludedFile {
+ [Read] string FileName;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Properties
+
+| Property | Data type | Qualifier | Description |
+|----------|-----------|-----------|-------------|
+| FileName | string | [read] | The name of the file or folder path in the file exclusion list, including the full path relative to the volume. |
+
+### Remarks
+
+UWF_ExcludedFile does not represent an actual WMI object, and you cannot use this class to get or set file exclusions.
+
+You must use the [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) method to retrieve UWF_ExcludedFile objects.
+
+You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove file and folder exclusions to a volume.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md b/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md
new file mode 100644
index 0000000000..6ed0903f55
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-excludedregistrykey.md
@@ -0,0 +1,51 @@
+---
+title: UWF_ExcludedRegistryKey
+description: UWF_ExcludedRegistryKey
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_ExcludedRegistryKey
+
+Contains the registry keys that are currently in the registry key exclusion list for Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+class UWF_ExcludedRegistryKey {
+ [Read] string RegistryKey;
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Properties
+
+| Property | Data type | Qualifier | Description |
+|-------------|----------------|-----------|-------------|
+| RegistryKey | string | [read] | The full path of the registry key in the registry key exclusion list. |
+
+### Remarks
+
+UWF_ExcludedRegistryKeydoes not represent an actual WMI object, and you cannot use this class to get or set registry key exclusions.
+
+You can use the [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) or [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) methods to retrieve UWF_ExcludedRegistryKey objects.
+
+You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove registry keys to the UWF registry key exclusion list.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filter.md b/windows/configuration/unified-write-filter/uwf-filter.md
new file mode 100644
index 0000000000..4d209d93e2
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filter.md
@@ -0,0 +1,169 @@
+---
+title: UWF_Filter
+description: UWF_Filter
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter
+
+Enables or disables Unified Write Filter (UWF), resets configuration settings for UWF, and shuts down or restarts your device.
+
+## Syntax
+
+```powershell
+class UWF_Filter{
+ [key] string Id;
+ [read] boolean CurrentEnabled;
+ [read] boolean NextEnabled;
+ UInt32 Enable();
+ UInt32 Disable();
+ UInt32 ResetSettings();
+ UInt32 ShutdownSystem();
+ UInt32 RestartSystem();
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+### Methods
+
+| Methods | Description |
+|----------|-------------|
+| [UWF_Filter.Enable](uwf-filterenable.md) | Enables UWF on the next restart. |
+| [UWF_Filter.Disable](uwf-filterdisable.md) | Disables UWF on the next restart. |
+| [UWF_Filter.ResetSettings](uwf-filterresetsettings.md) | Restores UWF settings to the original state that was captured at install time. |
+| [UWF_Filter.ShutdownSystem](uwf-filtershutdownsystem.md) |Safely shuts down a system protected by UWF, even if the overlay is full. |
+| [UWF_Filter.RestartSystem](uwf-filterrestartsystem.md) | Safely restarts a system protected by UWF, even if the overlay is full. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **Id** | string | [key] | A unique ID. This is always set to **UWF_Filter** |
+| **CurrentEnabled** | Boolean | [read] | Indicates if UWF is enabled for the current session. |
+| **NextEnabled** | Boolean | [read] | Indicates if UWF is enabled after the next restart. |
+
+### Remarks
+
+You must use an administrator account to make any changes to the configuration settings for UWF. Users with any kind of account can read the current configuration settings.
+
+## Example
+
+The following example demonstrates how to enable or disable UWF by using the WMI provider in a PowerShell script.
+
+The PowerShell script creates three functions to help enable or disable UWF. It then demonstrates how to use each function.
+
+The first function, `Disable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Disable()** method to disable UWF after the next device restart.
+
+The second function, `Enable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Enable()** method to enable UWF after the next device restart.
+
+The third function, `Display-UWFState`, examines the properties of the **UWF_Filter** object, and prints out the current settings for **UWF_Filter**.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a function to disable the Unified Write Filter driver after the next restart.
+function Disable-UWF() {
+
+# Retrieve the UWF_Filter settings.
+ $objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter;
+
+ if(!$objUWFInstance) {
+ "Unable to retrieve Unified Write Filter settings."
+ return;
+ }
+
+# Call the method to disable UWF after the next restart. This sets the NextEnabled property to false.
+
+ $retval = $objUWFInstance.Disable();
+
+# Check the return value to verify that the disable is successful
+ if ($retval.ReturnValue -eq 0) {
+ "Unified Write Filter will be disabled after the next system restart."
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+# Create a function to enable the Unified Write Filter driver after the next restart.
+function Enable-UWF() {
+
+# Retrieve the UWF_Filter settings.
+ $objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter;
+
+ if(!$objUWFInstance) {
+ "Unable to retrieve Unified Write Filter settings."
+ return;
+ }
+
+# Call the method to enable UWF after the next restart. This sets the NextEnabled property to false.
+
+ $retval = $objUWFInstance.Enable();
+
+# Check the return value to verify that the enable is successful
+ if ($retval.ReturnValue -eq 0) {
+ "Unified Write Filter will be enabled after the next system restart."
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+# Create a function to display the current settings of the Unified Write Filter driver.
+function Display-UWFState() {
+
+# Retrieve the UWF_Filter object
+ $objUWFInstance = Get-WmiObject -Namespace $NAMESPACE -Class UWF_Filter;
+
+ if(!$objUWFInstance) {
+ "Unable to retrieve Unified Write Filter settings."
+ return;
+ }
+
+# Check the CurrentEnabled property to see if UWF is enabled in the current session.
+ if($objUWFInstance.CurrentEnabled) {
+ $CurrentStatus = "enabled";
+ } else {
+ $CurrentStatus = "disabled";
+ }
+
+# Check the NextEnabled property to see if UWF is enabled or disabled after the next system restart.
+ if($objUWFInstance.NextEnabled) {
+ $NextStatus = "enabled";
+ } else {
+ $NextStatus = "disabled";
+ }
+}
+
+# Some examples of how to call the functions
+
+Display-UWFState
+
+"Enabling Unified Write Filter"
+Enable-UWF
+
+Display-UWFState
+
+"Disabling Unified Write Filter"
+Disable-UWF
+
+Display-UWFState
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filterdisable.md b/windows/configuration/unified-write-filter/uwf-filterdisable.md
new file mode 100644
index 0000000000..c6ada6a188
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filterdisable.md
@@ -0,0 +1,43 @@
+---
+title: UWF_Filter.Disable
+description: UWF_Filter.Disable
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter.Disable
+
+Disables Unified Write Filter (UWF) on the next restart.
+
+## Syntax
+
+```powershell
+UInt32 Disable();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to disable UWF.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Filter](uwf-filter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filterenable.md b/windows/configuration/unified-write-filter/uwf-filterenable.md
new file mode 100644
index 0000000000..9789518d3f
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filterenable.md
@@ -0,0 +1,66 @@
+---
+title: UWF_Filter.Enable
+description: UWF_Filter.Enable
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter.Enable
+
+Enables Unified Write Filter (UWF) on the next restart.
+
+## Syntax
+
+```powershell
+UInt32 Enable();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to enable UWF.
+
+You must restart your device after you enable or disable UWF before the change takes effect.
+
+The first time you enable UWF on your device, UWF makes the following changes to your system to improve the performance of UWF:
+
+- Paging files are disabled.
+- System restore is disabled.
+- SuperFetch is disabled.
+- File indexing service is turned off.
+- Defragmentation service is turned off.
+- Fast boot is disabled.
+- BCD setting **bootstatuspolicy** is set to **ignoreallfailures**.
+
+You can change these settings after you enable UWF if you want to. For example, you can move the page file location to an unprotected volume and re-enable paging files.
+
+Additionally, after you run `uwfmgr filter enable`, restart the computer and exit the servicing mode, the following things are disabled:
+
+- Windows Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate`
+- Windows Store Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload`
+- Registry Reorganization by setting `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Configuration Manager\RegistryReorganizationLimitDays`
+- Maintenance Hour by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled`
+
+After you run `uwfmgr filter disable`, restart the computer and enter the serving mode, the changes are reverted.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Filter](uwf-filter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filterresetsettings.md b/windows/configuration/unified-write-filter/uwf-filterresetsettings.md
new file mode 100644
index 0000000000..24528c7d76
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filterresetsettings.md
@@ -0,0 +1,47 @@
+---
+title: UWF_Filter.ResetSettings
+description: UWF_Filter.ResetSettings
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter.ResetSettings
+
+Restores UWF settings to the original configuration settings.
+
+## Syntax
+
+```powershell
+UInt32 ResetSettings();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to reset UWF settings.
+
+The original configuration settings are captured the first time that you enable UWF after you add UWF to your device by using **Turn Windows features on or off**. You can change the original configuration settings by using **Turn Windows features on or off** to remove and then add UWF, and then modifying the configuration to the desired state before you enable UWF.
+
+If you added UWF to your device by using SMI settings in an unattend.xml file, the original configuration settings are captured when Windows 10 Enterprise is installed on your device.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Filter](uwf-filter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md b/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md
new file mode 100644
index 0000000000..d442c0ff84
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filterrestartsystem.md
@@ -0,0 +1,48 @@
+---
+title: UWF_Filter.RestartSystem
+description: UWF_Filter.RestartSystem
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter.RestartSystem
+
+Safely restarts a system protected by UWF, even if the overlay is full.
+
+## Syntax
+
+```powershell
+UInt32 RestartSystem();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to call this method.
+You can't run on WMI providers; it's only available from Intune/CSP.
+
+If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take a long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely restart a system by avoiding this scenario.
+
+If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Filter](uwf-filter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md b/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md
new file mode 100644
index 0000000000..60cd1b79d9
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md
@@ -0,0 +1,47 @@
+---
+title: UWF_Filter.ShutdownSystem
+description: UWF_Filter.ShutdownSystem
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Filter.ShutdownSystem
+
+Safely shuts down a system protected by UWF, even if the overlay is full.
+
+## Syntax
+
+```powershell
+UInt32 ShutdownSystem();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to call this method.
+
+If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take an extremely long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely shut down a system by avoiding this scenario.
+
+If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Filter](uwf-filter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-master-servicing-script.md b/windows/configuration/unified-write-filter/uwf-master-servicing-script.md
new file mode 100644
index 0000000000..502d932499
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-master-servicing-script.md
@@ -0,0 +1,88 @@
+---
+title: UWF master servicing script
+description: UWF master servicing script
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# UWF master servicing script
+
+The UWF master servicing script (UwfServicingMasterScript.cmd) is located in the \\Windows\\System32 folder.
+
+## UwfServicingMasterScript.cmd
+
+The full UWF master servicing script follows:
+
+```powershell
+REM servicing of the device with UWF installed. The script will
+REM call UWF manager application to update the system with the
+REM latest available updates.
+REM The script will detect whether the update operation
+REM ended successfully or requires a reboot.
+REM
+REM The script will change the "SERVICING" state of the device
+REM only when the update operation results in a "SUCCESS".
+REM A state change of the device requires a reboot.
+REM
+REM If the update operation requires a "REBOOT" the script will
+REM reboot device without changing the "SERVICING" state. The
+REM Will then run again on the following reboot until
+REM the update operation either return a "SUCCESS" or a "ERROR"
+REM
+REM Any third-party script that needs to run before the state
+REM change should run in the UPDATE_SUCCESS block
+REM
+REM Environment :
+REM It is expected that UWF is turned "OFF", "SERVICING" mode
+REM enabled and all other preconditions
+REM for servicing are in place.
+REM
+REM
+REM
+
+
+echo UpdateAgent starting.
+uwfmgr servicing update-windows
+if ERRORLEVEL 3010 goto UPDATE_REBOOT
+if ERRORLEVEL 0 goto UPDATE_SUCCESS
+echo UpdateAgent returned error =%ERRORLEVEL%
+
+:UPDATE_ERROR
+uwfmgr servicing disable
+echo Restarting system
+goto UPDATE_EXIT
+
+:UPDATE_REBOOT
+echo UpdateAgent requires a reboot.
+echo UpdateAgent restarting system
+goto UPDATE_EXIT
+
+:UPDATE_SUCCESS
+echo UpdateAgent returned success.
+REM
+REM echo UpdateAgent executing OEM script
+REM OEM can call their custom scripts
+REM at this point through a "call".
+REM
+REM The OEM script should hand control
+REM back to this script once it is done.
+REM
+REM Any error recovery for OEM script
+REM should be handled outside of this script
+REM post a reboot.
+REM
+uwfmgr servicing disable
+echo Restarting system
+goto UPDATE_EXIT
+
+:UPDATE_EXIT
+echo UpdateAgent exiting.
+shutdown -r -t 5
+EXIT /B
+```
+
+## Related articles
+
+[Service UWF-protected devices](service-uwf-protected-devices.md)
+
+[Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlay.md b/windows/configuration/unified-write-filter/uwf-overlay.md
new file mode 100644
index 0000000000..db7a523a51
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlay.md
@@ -0,0 +1,164 @@
+---
+title: UWF_Overlay
+description: UWF_Overlay
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Overlay
+
+Contains the current size of the Unified Write Filter (UWF) overlay and manages the critical and warning thresholds for the overlay size.
+
+## Syntax
+
+```powershell
+class UWF_Overlay {
+ [key] string Id;
+ [read] UInt32 OverlayConsumption;
+ [read] UInt32 AvailableSpace;
+ [read] UInt32 CriticalOverlayThreshold;
+ [read] UInt32 WarningOverlayThreshold;
+
+ UInt32 GetOverlayFiles(
+ [in] string Volume,
+ [out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[]
+ );
+ UInt32 SetWarningThreshold(
+ UInt32 size
+ );
+ UInt32 SetCriticalThreshold(
+ UInt32 size
+ );
+};
+```
+
+## Members
+
+The following tables list any methods and properties that belong to this class.
+
+| Methods | Description |
+|---------|-------------|
+| [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) | Returns a list of files of a volume that were cached in the UWF overlay. |
+| [UWF_Overlay.SetWarningThreshold](uwf-overlaysetwarningthreshold.md) | Sets the warning threshold for monitoring the size of the UWF overlay. |
+| [UWF_Overlay.SetCriticalThreshold](uwf-overlaysetcriticalthreshold.md) | Sets the critical warning threshold for monitoring the size of the UWF overlay. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| ID | string | [key] | A unique ID. This is always set to **UWF_Overlay**. |
+| OverlayConsumption | Uint32 | [read] | The current size, in megabytes, of the UWF overlay. |
+| AvailableSpace | Uint32 | [read] | The amount of free space, in megabytes, available to the UWF overlay. |
+| CriticalOverlayThreshold | Uint32 | [read] | The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. |
+| WarningOverlayThreshold | Uint32 | [read] | The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. |
+
+### Examples
+
+The following example demonstrates how to use the UWF overlay by using the WMI provider in a PowerShell script.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Function to set the Unified Write Filter overlay warning threshold
+
+function Set-OverlayWarningThreshold($ThresholdSize) {
+
+# Retrieve the overlay WMI object
+
+ $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
+
+ if(!$OverlayInstance) {
+ "Unable to get handle to an instance of the UWF_Overlay class"
+ return;
+ }
+
+# Call the instance method to set the warning threshold value
+
+ $retval = $OverlayInstance.SetWarningThreshold($ThresholdSize);
+
+# Check the return value to verify that setting the warning threshold is successful
+
+ if ($retval.ReturnValue -eq 0) {
+ "Overlay warning threshold has been set to " + $ThresholdSize + " MB"
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+# Function to set the Unified Write Filter overlay critical threshold
+
+function Set-OverlayCriticalThreshold($ThresholdSize) {
+
+# Retrieve the overlay WMI object
+
+ $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
+
+ if(!$OverlayInstance) {
+ "Unable to get handle to an instance of the UWF_Overlay class"
+ return;
+ }
+
+# Call the instance method to set the warning threshold value
+
+ $retval = $OverlayInstance.SetCriticalThreshold($ThresholdSize);
+
+# Check the return value to verify that setting the critical threshold is successful
+
+ if ($retval.ReturnValue -eq 0) {
+ "Overlay critical threshold has been set to " + $ThresholdSize + " MB"
+ } else {
+ "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
+ }
+}
+
+# Function to print the current overlay information
+
+function Get-OverlayInformation() {
+
+# Retrieve the Overlay WMI object
+
+ $OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
+
+ if(!$OverlayInstance) {
+ "Unable to get handle to an instance of the UWF_Overlay class"
+ return;
+ }
+
+# Display the current values of the overlay properties
+
+ "`nOverlay Consumption: " + $OverlayInstance.OverlayConsumption
+ "Available Space: " + $OverlayInstance.AvailableSpace
+ "Critical Overlay Threshold: " + $OverlayInstance.CriticalOverlayThreshold
+ "Warning Overlay Threshold: " + $OverlayInstance.WarningOverlayThreshold
+}
+
+# Examples of using these functions
+
+"`nSetting the warning threshold to 768 MB."
+Set-OverlayWarningThreshold( 768 )
+
+"`nSetting the critical threshold to 896 MB."
+Set-OverlayCriticalThreshold( 896 )
+
+"`nDisplaying the current state of the overlay."
+Get-OverlayInformation
+```
+
+### Remarks
+
+Only one **UFW\_Overlay** instance exists for a system protected with UWF.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfig.md b/windows/configuration/unified-write-filter/uwf-overlayconfig.md
new file mode 100644
index 0000000000..ff15b1fcb2
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlayconfig.md
@@ -0,0 +1,159 @@
+---
+title: UWF_OverlayConfig
+description: UWF_OverlayConfig
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_OverlayConfig
+
+Displays and configures global settings for the Unified Write Filter (UWF) overlay. You can modify the maximum size and the type of the UWF overlay.
+
+## Syntax
+
+```powershell
+class UWF_OverlayConfig{
+ [key, Read] boolean CurrentSession;
+ [read] UInt32 Type;
+ [read] SInt32 MaximumSize;
+
+ UInt32 SetType(
+ UInt32 type
+ );
+ UInt32 SetMaximumSize(
+ UInt32 size
+ );
+};
+```
+
+## Members
+
+The following tables list the methods and properties that belong to this class.
+
+### Methods
+
+| Method | Description |
+|--------|-------------|
+| [UWF_OverlayConfig.SetMaximumSize](uwf-overlayconfigsetmaximumsize.md) | Sets the maximum cache size, in megabytes, of the overlay. |
+| [UWF_OverlayConfig.SetType](uwf-overlayconfigsettype.md) | Sets the type of the UWF overlay to either RAM-based or disk-based. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for. - **True** for the current session - **False** for the next session that begins after a restart. |
+| Type | UInt32 | [read] | Indicates the type of overlay. - **0** for a RAM-based overlay- **1** for a disk-based overlay. |
+| MaximumSize | SInt32 | [read] | Indicates the maximum cache size, in megabytes, of the overlay. |
+
+### Remarks
+
+Changes to the overlay configuration take effect on the next restart in which UWF is enabled.
+
+Before you can change the **Type** or **MaximumSize** properties, UWF must be disabled in the current session.
+
+### Example
+
+The following example demonstrates how to change the maximum size or the storage type of the overlay in UWF by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
+
+The PowerShell script creates two functions to modify the overlay configuration. It then demonstrates how to use the functions. The first function, **Set-OverlaySize**, sets the maximum size of the overlay. The second function, **Set-OverlayType**, sets the type of the overlay to RAM-based or disk-based.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define common parameters
+
+$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
+
+function Set-OverlaySize([UInt32] $size) {
+
+# This function sets the size of the overlay to which file and registry changes are redirected
+# Changes take effect after the next restart
+
+# $size is the maximum size in MB of the overlay
+
+# Make sure that UWF is currently disabled
+
+ $UWFFilter = Get-WmiObject -class UWF_Filter @commonParams
+
+ if ($UWFFilter.CurrentEnabled -eq $false) {
+
+# Get the configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams;
+
+ if ($nextConfig) {
+
+# Set the maximum size of the overlay
+
+ $nextConfig.SetMaximumSize($size);
+ write-host "Set overlay max size to $size MB."
+ }
+ } else {
+ write-host "UWF must be disabled in the current session before you can change the overlay size."
+ }
+}
+
+function Set-OverlayType([UInt32] $overlayType) {
+
+# This function sets the type of the overlay to which file and registry changes are redirected
+# Changes take effect after the next restart
+
+# $overlayType is the type of storage that UWF uses to maintain the overlay. 0 = RAM-based; 1 = disk-based.
+
+ $overlayTypeText = @("RAM-based", "disk-based")
+
+# Make sure that the overlay type is a valid value
+
+ if ($overlayType -eq 0 -or $overlayType -eq 1) {
+
+# Make sure that UWF is currently disabled
+
+ $UWFFilter = Get-WmiObject -class UWF_Filter @commonParams
+
+ if ($UWFFilter.CurrentEnabled -eq $false) {
+
+# Get the configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams;
+
+ if ($nextConfig) {
+
+# Set the type of the overlay
+
+ $nextConfig.SetType($overlayType);
+ write-host "Set overlay type to $overlayTypeText[$overlayType]."
+ }
+ } else {
+ write-host "UWF must be disabled in the current session before you can change the overlay type."
+ }
+ } else {
+ write-host "Invalid value for overlay type. Valid values are 0 (RAM-based) or 1 (disk-based)."
+ }
+}
+
+# The following sample commands demonstrate how to use the functions to change the overlay configuration
+
+$RAMMode = 0
+$DiskMode = 1
+
+Set-OverlaySize 2048
+
+Set-OverlayType $DiskMode
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+
+[Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md b/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md
new file mode 100644
index 0000000000..82755919f7
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md
@@ -0,0 +1,55 @@
+---
+title: UWF_OverlayConfig.SetMaximumSize
+description: UWF_OverlayConfig.SetMaximumSize
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_OverlayConfig.SetMaximumSize
+
+Sets the maximum cache size of the Unified Write Filter (UWF) overlay.
+
+## Syntax
+
+```powershell
+UInt32 SetMaximumSize(
+ UInt32 size
+);
+```
+
+## Parameters
+
+**size**An integer that represents the maximum cache size, in megabytes, of the overlay.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+When the size of the overlay reaches the *size* value, UWF returns an error for any attempt to write to a protected volume.
+
+If the overlay type is disk-based, your device must meet the following requirements to change the maximum size of the overlay.
+
+- UWF must be disabled in the current session.
+- The *size* value must be at least 1024.
+- The system volume on your device must have available free space greater than the new maximum size value.
+
+If the overlay type is RAM-based, your device must meet the following requirement to change the maximum size of the overlay.
+
+- UWF must be disabled in the current session.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_OverlayConfig](uwf-overlayconfig.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md b/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md
new file mode 100644
index 0000000000..af23ce50dc
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md
@@ -0,0 +1,58 @@
+---
+title: UWF_OverlayConfig.SetType
+description: UWF_OverlayConfig.SetType
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_OverlayConfig.SetType
+
+Sets the type of the Unified Write Filter (UWF) overlay to either RAM-based or disk-based.
+
+## Syntax
+
+```powershell
+UInt32 SetType(
+ UInt32 type
+);
+```
+
+## Parameters
+
+**type**The type of overlay. Set to **0** for a RAM-based overlay; set to **1** for a disk-based overlay.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Changes to the overlay type take effect during the next device restart in which UWF is enabled.
+
+When you change the overlay type from RAM-based to disk-based, UWF creates a file on the system volume. The file has a size equal to the **MaximumSize** property of [UWF_OverlayConfig](uwf-overlayconfig.md).
+
+Before you can change the overlay type to disk-based, your device must meet the following requirements.
+
+- UWF must be disabled in the current session.
+- The system volume on your device must have available free space greater than the maximum size of the overlay.
+- The maximum size of the overlay must be at least 1024 MB.
+
+Before you can change the overlay type to RAM-based, your device must meet the following requirements.
+
+- UWF must be disabled in the current session.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_OverlayConfig](uwf-overlayconfig.md)
+- [Overlay for Unified Write Filter (UWF)](uwfoverlay.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlayfile.md b/windows/configuration/unified-write-filter/uwf-overlayfile.md
new file mode 100644
index 0000000000..9a0887c3c0
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlayfile.md
@@ -0,0 +1,51 @@
+---
+title: UWF_OverlayFile
+description: UWF_OverlayFile
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_OverlayFile
+
+Contains a file that is currently in the overlay for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+class UWF_OverlayFile {
+ [read] string FileName;
+ [read] UInt64 FileSize;
+};
+```
+
+## Members
+
+The following table lists any properties that belong to this class.
+
+### Properties
+
+| Property | Data type | Qualifier | Description |
+|----------|----------------|-----------|-------------|
+| FileName | string | [read] | The name of the file in the file overlay. |
+| FileSize | UInt64 | [read] | The size of the file in the file overlay. |
+
+### Remarks
+
+You cannot use the **UWF_ OverlayFile** class directly to get overlay files. You must use the **UWF_Overlay.GetOverlayFiles** method to retrieve **UWF_ OverlayFile** objects.
+
+For more information about specific limitations and conditions when using the **GetOverlayFiles** method, see the **Remarks** section in the [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) topic in the UWF WMI provider technical reference.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md b/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md
new file mode 100644
index 0000000000..cc8bba2b30
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md
@@ -0,0 +1,67 @@
+---
+title: UWF_Overlay.GetOverlayFiles
+description: UWF_Overlay.GetOverlayFiles
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Overlay.GetOverlayFiles
+
+Returns a list of files of a volume that were cached in the Unified Write Filter (UWF) overlay.
+
+## Syntax
+
+```powershell
+UInt32 GetOverlayFiles(
+ [in] string Volume,
+ [out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[]
+);
+```
+
+## Parameters
+
+**Volume**A string that specifies the drive letter or volume name.
+
+**OverlayFiles**An array of **UWF_OverlayFiles** objects embedded as strings.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to access this method.
+
+The **GetOverlayFiles** method is intended to be used as a diagnostic tool.
+
+Do not base decisions about what to commit based on this method’s output.
+
+You should be aware of the following limitations:
+
+- This method is only supported on the NTFS file system.
+- This method requires a significant amount of free system memory to succeed (in a linear relationship to overlay usage). The method call fails when there is insufficient memory available to complete the call.
+- This method requires significant time to complete (in an exponential relationship to overlay usage).
+- This method may show files that are affected by seemingly unrelated operations to both registry and file exclusions and commits.
+
+You should also be aware of the following items when you use the **GetOverlayFiles** method:
+
+- Files that were committed with the `uwfmgr.exe file commit` command are also contained in the overlay files list.
+- Excluded files may be contained in the overlay files list.
+- Files that are smaller than the cluster size (for example, 4 KB in most cases) will not be listed even if they are cached in overlay.
+- Changes and deletions in excluded directories, excluded files, or excluded registry items add to overlay usage.
+- File and registry commits add to overlay usage.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Overlay](uwf-overlay.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md b/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md
new file mode 100644
index 0000000000..687ef6b6b1
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md
@@ -0,0 +1,51 @@
+---
+title: UWF_Overlay.SetCriticalThreshold
+description: UWF_Overlay.SetCriticalThreshold
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Overlay.SetCriticalThreshold
+
+Sets the critical threshold for monitoring the size of the Unified Write Filter (UWF) overlay.
+
+## Syntax
+
+```powershell
+UInt32 SetCriticalThreshold(
+ UInt32 size
+);
+```
+
+## Parameters
+
+**size**An integer that represents the size, in megabytes, of the critical threshold level for the overlay. If *size* is 0 (zero), UWF does not raise critical threshold events.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log.
+
+| Message ID | Event code | Message text |
+|------------|------------|--------------|
+| UWF_OVERLAY_REACHED_CRITICAL_LEVEL | 0x80010002L | The UWF overlay size has reached CRITICAL level. |
+
+The critical threshold must be higher than the warning threshold.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Overlay](uwf-overlay.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md b/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md
new file mode 100644
index 0000000000..66e7999304
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md
@@ -0,0 +1,51 @@
+---
+title: UWF_Overlay.SetWarningThreshold
+description: UWF_Overlay.SetWarningThreshold
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Overlay.SetWarningThreshold
+
+Sets the warning threshold for monitoring the size of the Unified Write Filter (UWF) overlay.
+
+## Syntax
+
+```powershell
+UInt32 SetWarningThreshold(
+ UInt32 size
+);
+```
+
+## Parameters
+
+**size**An integer that represents the size, in megabytes, of the warning threshold level for the overlay. If *size* is set to 0 (zero), UWF does not raise warning threshold events.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log.
+
+| Message ID | Event code | Message text |
+|------------|------------|--------------|
+|UWF_OVERLAY_REACHED_WARNING_LEVEL | 0x80010001L | The UWF overlay size has reached WARNING level. |
+
+The warning threshold must be lower than the critical threshold.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Overlay](uwf-overlay.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfilter.md b/windows/configuration/unified-write-filter/uwf-registryfilter.md
new file mode 100644
index 0000000000..5e6316cb9b
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfilter.md
@@ -0,0 +1,269 @@
+---
+title: UWF_RegistryFilter
+description: UWF_RegistryFilter
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter
+
+Adds or removes registry exclusions from Unified Write Filter (UWF) filtering, and also commits registry changes.
+
+## Syntax
+
+```powershell
+class UWF_RegistryFilter{
+ [key, Read] boolean CurrentSession;
+ [Read, Write] boolean PersistDomainSecretKey;
+ [Read, Write] boolean PersistTSCAL;
+
+ UInt32 AddExclusion(
+ string RegistryKey
+ );
+ UInt32 RemoveExclusion(
+ string RegistryKey
+ );
+ UInt32 FindExclusion(
+ [in] string RegistryKey,
+ [out] boolean bFound
+ );
+ UInt32 GetExclusions(
+ [out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[]
+ );
+ UInt32 CommitRegistry(
+ [in] string RegistryKey,
+ [in] string ValueName
+ );
+ UInt32 CommitRegistryDeletion(
+ string Registrykey,
+ string ValueName
+ );
+};
+```
+
+## Members
+
+The following tables list the methods and properties that belong to this class.
+
+| Method | Description |
+|--------|-------------|
+| [UWF_RegistryFilter.AddExclusion](uwf-registryfilteraddexclusion.md) | Adds a registry key to the registry exclusion list for UWF. |
+| [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md) | Commits changes to the specified registry key and value. |
+| [UWF_RegistryFilter.CommitRegistryDeletion](uwf-registryfiltercommitregistrydeletion.md) | Deletes the specified registry key or registry value and commits the deletion. |
+| [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) | Determines whether a specific registry key is excluded from being filtered by UWF. |
+| [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) | Retrieves all registry key exclusions from a system that is protected by UWF |
+| [UWF_RegistryFilter.RemoveExclusion](uwf-registryfilterremoveexclusion.md) | Removes a registry key from the registry exclusion list for Unified Write Filter (UWF). |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for. - **True** if settings are for the current session - **False** if settings are for the next session that follows a restart. |
+| PersistDomainSecretKey | Boolean | [read, write] | Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart.- **True** to include in the exclusion list - Otherwise **False**. |
+| PersistTSCAL | Boolean | [read, write] | Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. - **True** to include in the exclusion list- Otherwise, set to **False** |
+
+### Remarks
+
+Additions or removals of registry exclusions, including changes to the values of **PersistDomainSecretKey** and **PersistTSCAL**, take effect after the next restart in which UWF is enabled.
+
+You can only add registry keys in the HKLM registry root to the UWF registry exclusion list.
+
+You can also use **UWF_RegistryFilter** to exclude the domain secret registry key and the TSCAL registry key from UWF filtering.
+
+### Example
+
+The following example demonstrates how to manage UWF registry exclusions by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
+
+The PowerShell script creates four functions, and then demonstrates how to use them.
+
+The first function, **Get-RegistryExclusions**, displays a list of UWF registry exclusions for both the current session and the next session that follows a restart.
+
+The second function, **Add-RegistryExclusion**, adds a registry entry to the UWF registry exclusion list after you restart the device.
+
+The third function, **Remove-RegistryExclusion**, removes a registry entry from the UWF exclusion list after you restart the device.
+
+The fourth function, **Clear-RegistryExclusions**, removes all UWF registry exclusions. You must restart the device before UWF stops filtering the exclusions.
+
+```powershell
+$COMPUTER = "EMBEDDEDDEVICE"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define common parameters
+
+$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
+
+function Get-RegistryExclusions() {
+
+# This function lists the UWF registry exclusions, both
+# for the current session as well as the next session after a restart.
+
+
+# Get the UWF_RegistryFilter configuration for the current session
+
+ $currentConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
+ where {
+ $_.CurrentSession -eq $true
+ };
+
+# Get the UWF_RegistryFilter configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
+ where {
+ $_.CurrentSession -eq $false
+ };
+
+# Display registry exclusions for the current session
+
+ if ($currentConfig) {
+
+ Write-Host ""
+ Write-Host "The following registry entries are currently excluded from UWF filtering:";
+
+ $currentExcludedList = $currentConfig.GetExclusions()
+
+ if ($currentExcludedList.ExcludedKeys) {
+ foreach ($registryExclusion in $currentExcludedList.ExcludedKeys) {
+ Write-Host " " $registryExclusion.RegistryKey
+ }
+ } else {
+ Write-Host " None"
+ }
+ } else {
+ Write-Error "Could not retrieve UWF_RegistryFilter.";
+}
+
+# Display registry exclusions for the next session after a restart
+
+ if ($nextConfig) {
+
+ Write-Host ""
+ Write-Host "The following registry entries will be excluded from UWF filtering after the next restart:";
+
+ $nextExcludedList = $nextConfig.GetExclusions()
+
+ if ($nextExcludedList.ExcludedKeys) {
+ foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) {
+ Write-Host " " $registryExclusion.RegistryKey
+ }
+ } else {
+ Write-Host " None"
+ }
+ Write-Host ""
+ }
+}
+
+function Add-RegistryExclusion($exclusion) {
+
+# This function adds a new UWF registry exclusion.
+# The new registry exclusion takes effect the next time the device is restarted and UWF is enabled.
+
+# $exclusion is the path of the registry exclusion
+
+# Get the UWF_RegistryFilter configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
+ where {
+ $_.CurrentSession -eq $false
+ };
+
+# Add the exclusion
+
+ if ($nextConfig) {
+ $nextConfig.AddExclusion($exclusion) | Out-Null;
+ Write-Host "Added exclusion $exclusion.";
+ } else {
+ Write-Error "Could not retrieve UWF_RegistryFilter";
+ }
+}
+
+function Remove-RegistryExclusion($exclusion) {
+
+# This function removes a UWF registry exclusion.
+# The registry exclusion is removed the next time the device is restarted
+
+# $exclusion is the path of the registry exclusion
+
+# Get the UWF_RegistryFilter configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
+ where {
+ $_.CurrentSession -eq $false
+ };
+
+# Try to remove the exclusion
+
+ if ($nextConfig) {
+ try {
+ $nextConfig.RemoveExclusion($exclusion) | Out-Null;
+ Write-Host "Removed exclusion $exclusion.";
+ } catch {
+ Write-Host "Could not remove exclusion $exclusion."
+ }
+ } else {
+ Write-Error "Could not retrieve UWF_RegistryFilter";
+ }
+}
+
+function Clear-RegistryExclusions() {
+
+# This function removes all UWF registry exclusions
+# The registry exclusions are removed the next time the device is restarted
+
+# Get the configuration for the next session
+
+ $nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
+ where {
+ $_.CurrentSession -eq $false
+ };
+
+# Remove all registry exclusions
+
+ if ($nextConfig) {
+
+ Write-Host "Removing all registry exclusions:";
+
+ $nextExcludedList = $nextConfig.GetExclusions()
+
+ if ($nextExcludedList) {
+ foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) {
+ Write-Host "Removing:" $registryExclusion.RegistryKey
+ $nextConfig.RemoveExclusion($registryExclusion.RegistryKey) | Out-Null
+ }
+ } else {
+ Write-Host "No registry exclusions to remove."
+ }
+ Write-Host ""
+ }
+}
+
+# Some examples of using the functions
+
+Clear-RegistryExclusions
+
+Get-RegistryExclusions
+
+Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
+Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers\(Default)"
+
+Get-RegistryExclusions
+
+Remove-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
+
+Get-RegistryExclusions
+
+Clear-RegistryExclusions
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md
new file mode 100644
index 0000000000..38aa47814c
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md
@@ -0,0 +1,58 @@
+---
+title: UWF_RegistryFilter.AddExclusion
+description: UWF_RegistryFilter.AddExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.AddExclusion
+
+Adds a registry key to the registry exclusion list for Unified Write Filter (UWF).
+
+> [!IMPORTANT]
+> Only registry subkeys under the following registry keys can be added to the exclusion list.
+>
+> - HKEY_LOCAL_MACHINE\BCD00000000
+> - HKEY_LOCAL_MACHINE\SYSTEM
+> - HKEY_LOCAL_MACHINE\SOFTWARE
+> - HKEY_LOCAL_MACHINE\SAM
+> - HKEY_LOCAL_MACHINE\SECURITY
+> - HKEY_LOCAL_MACHINE\COMPONENTS
+
+> [!IMPORTANT]
+> Excluding a registry key from filtering also excludes all subkeys from filtering.
+
+## Syntax
+
+```powershell
+UInt32 AddExclusion(
+ string RegistryKey
+);
+```
+
+## Parameters
+
+**RegistryKey**A string that contains the full path of the registry key.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must restart the device before the registry key is excluded from UWF filtering.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md
new file mode 100644
index 0000000000..ff2fd4cdc2
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md
@@ -0,0 +1,50 @@
+---
+title: UWF_RegistryFilter.CommitRegistry
+description: UWF_RegistryFilter.CommitRegistry
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.CommitRegistry
+
+Commits changes to the specified registry key and value.
+
+## Syntax
+
+```powershell
+UInt32 CommitRegistry(
+ [in] string RegistryKey,
+ [in] string ValueName
+);
+```
+
+## Parameters
+
+**RegistryKey**A string that contains the full path of the registry key to be committed.
+
+**ValueName**A string that contains the name of the value to be committed.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+This method will commit only the value specified by *ValueName* under *RegistryKey* if *ValueName* is specified.
+
+You must use an administrator account to change any properties or call any methods that change the configuration settings.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md
new file mode 100644
index 0000000000..a7e69eb970
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md
@@ -0,0 +1,52 @@
+---
+title: UWF_RegistryFilter.CommitRegistryDeletion
+description: UWF_RegistryFilter.CommitRegistryDeletion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.CommitRegistryDeletion
+
+Deletes the specified registry key or registry value and commits the deletion.
+
+## Syntax
+
+```powershell
+UInt32 CommitRegistryDeletion(
+ string Registrykey,
+ string ValueName
+);
+```
+
+## Parameters
+
+**RegistryKey**A string that contains the full path of the registry key that contains the value to be deleted. If *ValueName* is empty, the entire registry key is deleted.
+
+**ValueName**A string that contains the name of the value to be deleted.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+If *ValueName* is specified, this method will delete only the value specified by *ValueName* that is contained by *RegistryKey*. If *ValueName* is empty, the entire *RegistryKey* and all its sub keys are deleted.
+
+This method deletes the registry key or registry value from both the overlay and the persistent storage.
+
+You must use an administrator account to change any properties or call any methods that change the configuration settings.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md
new file mode 100644
index 0000000000..fec85d3b5e
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md
@@ -0,0 +1,44 @@
+---
+title: UWF_RegistryFilter.FindExclusion
+description: UWF_RegistryFilter.FindExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.FindExclusion
+
+Checks if a specific registry key is excluded from being filtered by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 FindExclusion(
+ [in] string RegistryKey,
+ [out] boolean bFound
+);
+```
+
+## Parameters
+
+**RegistryKey**\[in\] A string that contains the full path of the registry key.
+
+**bFound**\[out\] Indicates if the *RegistryKey* is in the exclusion list of registry keys.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md b/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md
new file mode 100644
index 0000000000..3f3e8802ba
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md
@@ -0,0 +1,45 @@
+---
+title: UWF_RegistryFilter.GetExclusions
+description: UWF_RegistryFilter.GetExclusions
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.GetExclusions
+
+Retrieves all registry key exclusions from a device that is protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 GetExclusions(
+ [out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[]
+);
+```
+
+## Parameters
+
+**ExcludedKeys**\[out\] An array of [UWF_ExcludedRegistryKey](uwf-excludedregistrykey.md) objects that represent the registry keys excluded from UWF filtering.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+If this method does not find any registry keys in the registry key exclusion list, it sets the *ExcludedKeys* parameter to null.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md b/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md
new file mode 100644
index 0000000000..03e5282ad8
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md
@@ -0,0 +1,45 @@
+---
+title: UWF_RegistryFilter.RemoveExclusion
+description: UWF_RegistryFilter.RemoveExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_RegistryFilter.RemoveExclusion
+
+Removes a registry key from the registry exclusion list for Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 RemoveExclusion(
+ string RegistryKey
+);
+```
+
+## Parameters
+
+**RegistryKey**A string that contains the full path of the registry key.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must restart the device before the registry key is excluded from UWF filtering.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_RegistryFilter](uwf-registryfilter.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md b/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md
new file mode 100644
index 0000000000..c9672f601b
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-servicing-screen-saver.md
@@ -0,0 +1,51 @@
+---
+title: UWF servicing screen saver
+description: UWF servicing screen saver
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# UWF servicing screen saver
+
+The default settings for the Unified Write Filter (UWF) servicing screen saver can be changed through the Windows registry to use custom text, title, font, and color settings.
+
+The UWF servicing screen saver (UwfServicingScr.scr) is located in the \\Windows\\System32 folder.
+
+> [!IMPORTANT]
+> When UWF is installed on your device, when you right-click on the **Desktop**, and then click **Personalize** > **Screen Saver**, the UWF servicing screen saver will appear in the list of available screen savers in the **Screen Saver Settings** dialog box.
+
+Do not select **UwfServicingScr** as the screen saver and then click **Preview**, as you will not be able to exit the UWF servicing screen saver by moving the mouse or pressing a key. The only way to exit the UWF servicing screen saver in this case is by pressing the Ctrl+Alt+Delete keys.
+
+## Modify the default registry settings for the UWF servicing screen saver
+
+1. To modify the default registry settings for the UWF servicing screen saver, from the example shown here, change the values in a text editor, and then save as a .reg file (for example, Overridescreensaver.reg).
+
+ ```powershell
+ Windows Registry Editor Version 5.00
+ [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\ServicingScreenSaver]
+ "ColorBackground"=dword:000000ff
+ "ColorText"=dword:0000ff00
+ "ColorProgress"=dword:00ff0000
+ "ScreenSaverTitle"="Device"
+ "ScreenSaverSubTitle"="Servicing device…"
+ "HideScreenSaverText"=dword:00000000
+ "HideScreenSaverProgress"=dword:00000000
+ "Font"="Algerian"
+ ```
+
+1. On the device, open a command prompt as an administrator. For Windows Shell, to open a command prompt, do the following:
+ 1. In Windows Explorer, move to \\Windows\\System32, right-click **cmd.exe**, and then click **Run as Administrator**.
+ 1. Accept the UAC prompt.
+1. To apply the custom registry settings for the screen saver to the device, type the following command:
+
+ ```powershell
+ regedit.exe /s overridescreensaver.reg
+ ```
+
+The next time the device enters UWF servicing mode, the UwfServicingScr.scr screen saver will use the custom settings.
+
+## Related articles
+
+[Service UWF-protected devices](service-uwf-protected-devices.md)
+
+[Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-servicing.md b/windows/configuration/unified-write-filter/uwf-servicing.md
new file mode 100644
index 0000000000..324f86d59a
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-servicing.md
@@ -0,0 +1,99 @@
+---
+title: UWF_Servicing
+description: UWF_Servicing
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Servicing
+
+This class contains properties and methods that enable you to query and control Unified Write Filter (UWF) servicing mode.
+
+## Syntax
+
+```powershell
+class UWF_Servicing {
+ [key, read] boolean CurrentSession;
+ [read] boolean ServicingEnabled;
+
+ UInt32 Enable();
+ UInt32 Disable();
+ UInt32 UpdateWindows(
+ [out] UInt32 UpdateStatus
+ );
+};
+```
+
+## Members
+
+The following tables list the methods and properties that belong to this class.
+
+### Methods
+
+| Method | Description |
+|--------|-------------|
+|[UWF_Servicing.Disable](uwf-servicingdisable.md) | Disables Unified Write Filter (UWF) servicing mode.The system leaves servicing mode in the next session that follows a restart. |
+| [UWF_Servicing.Enable](uwf-servicingenable.md) | Enables Unified Write Filter (UWF) servicing mode.The system enters servicing mode in the next session that follows a restart. |
+| [UWF_Servicing.UpdateWindows](uwf-servicingupdatewindows.md) | Calls Windows Update to download and install critical and security updates for your device running Windows 10 Enterprise. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description & |
+|----------|----------------|------------|-------------|
+| CurrentSession | Boolean | [key, read] | Indicates when to enable servicing.- **True** if servicing is enabled in the current session- **False** if servicing will be enabled in the session that follows a restart. |
+| ServiceEnabled | Boolean | [read] | Indicates if the system is in servicing mode in the current session, or will be in servicing mode in the next session that follows a restart.- **True** if servicing is enabled- otherwise, **False**. |
+
+### Remarks
+
+This class only has two instances, one for the current session, and another for the next session that follows a restart.
+
+### Example
+
+The following example shows how to enable and disable UWF servicing mode on a device by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define common parameters
+
+$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
+
+# Enable UWF servicing
+
+$nextSession = Get-WmiObject -class UWF_Servicing @CommonParams | where {
+ $_.CurrentSession -eq $false
+}
+
+if ($nextSession) {
+
+ $nextSession.Enable() | Out-Null;
+ Write-Host "This device is enabled for servicing mode after the next restart."
+}
+
+# Disable UWF servicing
+
+$nextSession = Get-WmiObject -class UWF_Servicing @CommonParams | where {
+ $_.CurrentSession -eq $false
+}
+
+if ($nextSession) {
+
+ $nextSession.Disable() | Out-Null;
+ Write-Host "Servicing mode is now disabled for this device."
+}
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-servicingdisable.md b/windows/configuration/unified-write-filter/uwf-servicingdisable.md
new file mode 100644
index 0000000000..616e9d6669
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-servicingdisable.md
@@ -0,0 +1,43 @@
+---
+title: UWF_Servicing.Disable
+description: UWF_Servicing.Disable
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Servicing.Disable
+
+Disables Unified Write Filter (UWF) servicing mode.
+
+## Syntax
+
+```powershell
+UInt32 Disable();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+When this method is called, the system will leave servicing mode in the next session after a restart.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Servicing](uwf-servicing.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-servicingenable.md b/windows/configuration/unified-write-filter/uwf-servicingenable.md
new file mode 100644
index 0000000000..8261b42c15
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-servicingenable.md
@@ -0,0 +1,43 @@
+---
+title: UWF_Servicing.Enable
+description: UWF_Servicing.Enable
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Servicing.Enable
+
+Enables Unified Write Filter (UWF) servicing mode.
+
+## Syntax
+
+```powershell
+UInt32 Enable();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+When this method is called, the system will enter servicing mode in the next session after a restart.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Servicing](uwf-servicing.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md b/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md
new file mode 100644
index 0000000000..2f5cb89d90
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-servicingupdatewindows.md
@@ -0,0 +1,53 @@
+---
+title: UWF_Servicing.UpdateWindows
+description: UWF_Servicing.UpdateWindows
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Servicing.UpdateWindows
+
+Calls Windows Update to download and install critical and security updates for your device running Windows 10 Enterprise.
+
+## Syntax
+
+```powershell
+UInt32 UpdateWindows(
+ [out] UInt32 UpdateStatus
+);
+```
+
+## Parameters
+
+**UpdateStatus**\[out\] An integer that contains the status of the Windows Update operation, according to the following table:
+
+| UpdateStatus | Description |
+|:----------------:|-------------------|
+| 0 | Success. |
+| 3010 | Restart required. |
+| Any other value. | Generic error. |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+This method is meant to be used as part of a servicing script. For more information, see [Service UWF-protected devices](service-uwf-protected-devices.md).
+
+This method does not disable or enable Unified Write Filter (UWF). If you call this method while UWF is enabled, updates may be lost when the device restarts.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Servicing](uwf-servicing.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-turnonuwf.md b/windows/configuration/unified-write-filter/uwf-turnonuwf.md
new file mode 100644
index 0000000000..65d54c3fd7
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-turnonuwf.md
@@ -0,0 +1,146 @@
+---
+title: Unified Write Filter (UWF) feature (uwf-turnonuwf)
+description: Unified Write Filter (UWF) feature (uwf-turnonuwf)
+ms.date: 05/20/2024
+ms.topic: reference
+ms.custom: RS5
+---
+
+# Use the Unified Write Filter (UWF) feature
+
+The Unified Write Filter (UWF) is an Windows 10 optional feature.
+
+To use UWF, you'll first need to install the feature.
+
+Next, you'll enable (and optionally configure) the feature. The first time you enable UWF on your device, UWF makes the following changes to your system to improve the performance of UWF:
+
+- Paging files are disabled.
+- System restore is disabled.
+- SuperFetch (aka "SysMain" service) is disabled.
+- File indexing service is turned off.
+- Fast boot is disabled.
+- Defragmentation service (aka "Optimize drives" service) is turned off.
+- BCD setting **bootstatuspolicy** is set to **ignoreallfailures**.
+
+After UWF is enabled, you can finally select a drive to protect and start using UWF. If you'll disable after enable it, features above will not be turned on automatically.
+
+You can install UWF for running PCs and devices, prepare it for customized Windows images, or manage it remotely using CSP or WMI.
+
+## Turn on UWF on a running PC
+
+1. Install the feature:
+
+ 1. Click Start, type **Turn Windows features on or off**.
+
+ 1. In the **Windows Features** window, expand the **Device Lockdown** node, and check **Unified Write Filter** > **OK**.
+
+ The **Windows Features** window indicates Windows is searching for required files and displays a progress bar. Once found, the window indicates Windows is applying the changes. When completed, the window indicates the requested changes are completed.
+
+ 1. Click **Close** to close the **Windows Features** window.
+
+1. Enable the filter:
+
+ ```cmd
+ uwfmgr filter enable
+ ```
+
+ > [!Note]
+ > After you run this command, restart the computer and exit the servicing mode, the following things are disabled:
+ > - Windows Update (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate.)
+ > - Windows Store Update (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload.)
+ > - Registry Reorganization (by setting HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Configuration Manager\RegistryReorganizationLimitDays.)
+ > - Maintenance Hour (by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled.)
+ >
+ > After you run `uwfmgr filter disable`, restart the computer and enter the serving mode, the changes will be reverted.
+
+1. Enable write protection for a drive:
+
+ ```cmd
+ uwfmgr.exe volume protect C:
+ ```
+
+1. Restart your computer.
+
+1. Confirm that UWF is running:
+
+ ```cmd
+ uwfmgr.exe get-config
+ ```
+
+## Install UWF on a customized Windows image
+
+1. Open a command prompt with administrator privileges.
+1. Copy install.wim to a temporary folder on hard drive (in the following steps, we'll assume it's called C:\\wim).
+1. Create a new directory.
+
+ ```cmd
+ md c:\wim
+ ```
+
+1. Mount the image.
+
+ ```cmd
+ dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
+ ```
+
+1. Enable the feature.
+
+ ```cmd
+ dism /image:c:\wim /enable-feature /featureName:Client-UnifiedWriteFilter
+ ```
+
+1. Commit the change.
+
+ ```cmd
+ dism /unmount-wim /MountDir:c:\wim /Commit
+ ```
+
+To activate UWF, you can use a command-line script, CSP, or WMI:
+
+- [CMD](uwfmgrexe.md): `uwfmgr filter enable`, then `uwfmgr.exe volume protect C:`
+- [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `CurrentSession/FilterEnabled`, then `CurrentSession/Volume`
+- [WMI](uwf-wmi-provider-reference.md): `UWF\Filter.Enable`, then `UWF\Volume`.
+
+## Install the UWF feature by using Windows Configuration Designer
+
+1. Create a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
+
+ > [!Note]
+ > When setting the file exclusion in Windows Configuration Designer, you do not need to specify the drive letter since that is already input via the Volume protection setting. For example, if the file being excluded is `C:\testdir\test.txt`, after adding a drive in Volume protection, you only need to input `\testdir\test.txt` to add this file exclusion.
+
+1. In the Available customizations page, select **Runtime settings** > **SMISettings** and then set the value for the Unified Write Filter setting.
+
+1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. See [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information.
+
+To activate UWF, you can use a command-line script, CSP, or WMI:
+
+- [CMD](uwfmgrexe.md): `uwfmgr filter enable`, then `uwfmgr.exe volume protect C:`
+- [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `CurrentSession/FilterEnabled`, then `CurrentSession/Volume`
+- [WMI](uwf-wmi-provider-reference.md): `UWF\Filter.Enable`, then `UWF\Volume`.
+
+## Install the UWF feature by using Windows Management Instrumentation (WMI)
+
+If Windows has already been installed and you do not want to use a provisioning package, you can also configure UWF by using the Windows Management Instrumentation (WMI) providers. To turn on UWF using WMI, you can use the [UWF_Filter](uwf-filter.md) function, specifically the [UWF_Filter.Enable](uwf-filterenable.md) method. You can do this in one of the following ways:
+
+- Use the WMI providers directly in a PowerShell script.
+- Use the WMI providers directly in an application.
+- Use the command line tool, [uwfmgr.exe](uwfmgrexe.md).
+
+You must restart your device after you turn on or turn off UWF before the change takes effect.
+
+You can change these settings after you turn on UWF if you want to. For example, you can move the page file location to an unprotected volume and re-enable paging files.
+
+> [!IMPORTANT]
+> If you add UWF to your image by using SMI settings in an unattend.xml file, turning on UWF only sets the **bootstatuspolicy** BCD setting and turns off the defragmentation service. In this case, you must manually turn off the other features and services if you want to increase the performance of UWF.
+
+All configuration settings for UWF are stored in the registry. UWF automatically excludes these registry entries from filtering.
+
+UWF maintains configuration settings in the registry for the current session and for the next session after a device restart. Static configuration changes do not take effect until after a device restart, and these changes are saved in the registry entries for the next session. Dynamic configuration changes occur immediately and persist after a device restart.
+
+## Related articles
+
+[Unified Write Filter]( index.md)
+
+[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+
+UWF Command-line tool: [uwfmgr.exe](uwfmgrexe.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volume.md b/windows/configuration/unified-write-filter/uwf-volume.md
new file mode 100644
index 0000000000..3d73fc6db0
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volume.md
@@ -0,0 +1,311 @@
+---
+title: UWF_Volume
+description: UWF_Volume
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume
+
+This class manages a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+class UWF_Volume {
+ [key, Read] boolean CurrentSession;
+ [key, Read] string DriveLetter;
+ [key, Read] string VolumeName;
+ [Read, Write] boolean BindByDriveLetter;
+ [Read] boolean CommitPending;
+ [Read, Write] boolean Protected;
+
+ UInt32 CommitFile([in] string FileFullPath);
+ UInt32 CommitFileDeletion(string FileName);
+ UInt32 Protect();
+ UInt32 Unprotect();
+ UInt32 SetBindByDriveLetter(boolean bBindByVolumeName);
+ UInt32 AddExclusion(string FileName);
+ UInt32 RemoveExclusion(string FileName);
+ UInt32 RemoveAllExclusions();
+ UInt32 FindExclusion([in] string FileName, [out] bFound);
+ UInt32 GetExclusions([out, EmbeddedInstance("UWF_ExcludedFile")] string ExcludedFiles[]);
+
+};
+```
+
+## Members
+
+The following tables list the methods and properties that belong to this class.
+
+### Methods
+
+| Method | Description |
+|--------|-------------|
+| [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) | Adds a file or folder to the file exclusion list for a volume protected byUWF. |
+| [UWF_Volume.CommitFile](uwf-volumecommitfile.md) | Commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF). |
+| [UWF_Volume.CommitFileDeletion](uwf-volumecommitfiledeletion.md) | Deletes a protected file from the volume, and commits the deletion to the physical volume. |
+| [UWF_Volume.FindExclusion](uwf-volumefindexclusion.md) | Determines whether a specific file or folder is in the exclusion list for a volume protected byUWF. |
+| [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) | Retrieves a list of all file exclusions for a volume protected byUWF. |
+| [UWF_Volume.Protect](uwf-volumeprotect.md) | Protects the volume after the next system restart, if UWF is enabled after the restart. |
+| [UWF_Volume.RemoveAllExclusions](uwf-volumeremoveallexclusions.md) | Removes all files and folders from the file exclusion list for a volume protected by UWF. |
+| [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) | Removes a specific file or folder from the file exclusion list for a volume protected byUWF. |
+| [UWF_Volume.SetBindByDriveLetter](uwf-volumesetbindbydriveletter.md) | Sets the **BindByDriveLetter** property, which indicates whether the UWF volume is bound to the physical volume by drive letter or by volume name. |
+| [UWF_Volume.Unprotect](uwf-volumeunprotect.md) | Disables UWF protection of the volume after the next system restart. |
+
+### Properties
+
+| Property | Data type | Qualifiers | Description |
+|----------|----------------|------------|-------------|
+| **BindByDriveLetter** | Boolean | [read, write] | Indicates the type of binding that the volume uses.- **True** to bind the volume by **DriveLetter**(loose binding)- **False** to bind the volume by **VolumeName** (tight binding). |
+| **CommitPending** | Boolean | [read] | Reserved for Microsoft use.|
+| **CurrentSession** | Boolean | [key, read] | Indicates which session the object contains settings for.- **True** if settings are for the current session- **False** if settings are for the next session that follows a restart. |
+| **DriveLetter** | string | [key, read] | The drive letter of the volume. If the volume does not have a drive letter, this value is **NULL**. |
+| **Protected** | Boolean | [read, write] | If **CurrentSession** is **true**, indicates whether the volume is currently protected by UWF.If **CurrentSession** is **false**, indicates whether the volume is protected in the next session after the device restarts. |
+| **VolumeName** | string | [key, read] | The unique identifier of the volume on the current system. The **VolumeName** is the same as the **DeviceID** property of the [Win32_Volume](/previous-versions/windows/desktop/legacy/aa394515(v=vs.85)) class for the volume. |
+
+### Remarks
+
+You must use an administrator account to change any properties or call any methods that change the configuration settings.
+
+### Turn UWF protection on or off
+
+The following example demonstrates how to protect or unprotect a volume with UWF by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
+
+The PowerShellscript creates a function, **Set-ProtectVolume**, that turns UWF protection on or off for a volume. The script then demonstrates how to use the function.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define common parameters
+
+$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
+
+# Create a function to protect or unprotect a volume based on the drive letter of the volume
+
+function Set-ProtectVolume($driveLetter, [bool] $enabled) {
+
+# Each volume has two entries in UWF_Volume, one for the current session and one for the next session after a restart
+# You can only change the protection status of a drive for the next session
+
+ $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
+ };
+
+# If a volume entry is found for the drive letter, enable or disable protection based on the $enabled parameter
+
+ if ($nextConfig) {
+
+ Write-Host "Setting drive protection on $driveLetter to $enabled"
+
+ if ($Enabled -eq $true) {
+ $nextConfig.Protect() | Out-Null;
+ } else {
+ $nextConfig.Unprotect() | Out-Null;
+ }
+ }
+
+# If the drive letter does not match a volume, create a new UWF_volume instance
+
+ else {
+ Write-Host "Error: Could not find $driveLetter. Protection is not enabled."
+ }
+}
+
+# The following sample commands demonstrate how to use the Set-ProtectVolume function
+# to protect and unprotect volumes
+
+Set-ProtectVolume "C:" $true
+Set-ProtectVolume "D:" $true
+
+Set-ProtectVolume "C:" $false
+```
+
+### Manage UWF file and folder exclusions
+
+The following example demonstrates how to manage UWF file and folder exclusions by using the WMI provider in a PowerShell script. The PowerShell script creates four functions, and then demonstrates how to use them.
+
+The first function, **Get-FileExclusions**, displays a list of UWF file exclusions that exist on a volume. Exclusions for both the current session and the next session that follows a restart are displayed.
+
+The second function, **Add-FileExclusion**, adds a file or folder to the UWF exclusion list for a given volume. The exclusion is added for the next session that follows a restart.
+
+The third function, **Remove-FileExclusion**, removes a file or folder from the UWF exclusion list for a given volume. The exclusion is removed for the next session that follows a restart.
+
+The fourth function, **Clear-FileExclusions**, removes all UWF file and folder exclusions from a given volume. The exclusions are removed for the next session that follows a restart.
+
+```powershell
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Define common parameters
+
+$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
+
+function Get-FileExclusions($driveLetter) {
+
+# This function lists the UWF file exclusions for a volume, both
+# for the current session as well as the next session after a restart
+
+# $driveLetter is the drive letter of the volume
+
+# Get the UWF_Volume configuration for the current session
+
+ $currentConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $true
+ };
+
+# Get the UWF_Volume configuration for the next session after a restart
+
+ $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
+ };
+
+# Display file exclusions for the current session
+
+ if ($currentConfig) {
+
+ Write-Host "The following files and folders are currently excluded from UWF filtering for $driveLetter";
+
+ $currentExcludedList = $currentConfig.GetExclusions()
+
+ if ($currentExcludedList) {
+ foreach ($fileExclusion in $currentExcludedList.ExcludedFiles) {
+ Write-Host " " $fileExclusion.FileName
+ }
+ } else {
+ Write-Host " None"
+ }
+ } else {
+ Write-Error "Could not find drive $driveLetter";
+}
+
+# Display file exclusions for the next session after a restart
+
+ if ($nextConfig) {
+
+ Write-Host ""
+ Write-Host "The following files and folders will be excluded from UWF filtering for $driveLetter after the next restart:";
+
+ $nextExcludedList = $nextConfig.GetExclusions()
+
+ if ($nextExcludedList) {
+ foreach ($fileExclusion in $nextExcludedList.ExcludedFiles) {
+ Write-Host " " $fileExclusion.FileName
+ }
+ } else {
+ Write-Host " None"
+ }
+
+ Write-Host ""
+ }
+}
+
+function Add-FileExclusion($driveLetter, $exclusion) {
+
+# This function adds a new UWF file exclusion to a volume
+# The new file exclusion takes effect the next time the device is restarted and UWF is enabled
+
+# $driveLetter is the drive letter of the volume
+# $exclusion is the path and filename of the file or folder exclusion
+
+# Get the configuration for the next session for the volume
+
+ $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
+ };
+
+# Add the exclusion
+
+ if ($nextConfig) {
+ $nextConfig.AddExclusion($exclusion) | Out-Null;
+ Write-Host "Added exclusion $exclusion for $driveLetter";
+ } else {
+ Write-Error "Could not find drive $driveLetter";
+ }
+}
+
+function Remove-FileExclusion($driveLetter, $exclusion) {
+
+# This function removes a UWF file exclusion from a volume
+# The file exclusion is removed the next time the device is restarted
+
+# $driveLetter is the drive letter of the volume
+# $exclusion is the path and filename of the file or folder exclusion
+
+# Get the configuration for the next session for the volume
+
+ $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
+ };
+
+# Try to remove the exclusion
+
+ if ($nextConfig) {
+ try {
+ $nextConfig.RemoveExclusion($exclusion) | Out-Null;
+ Write-Host "Removed exclusion $exclusion for $driveLetter";
+ } catch {
+ Write-Host "Could not remove exclusion $exclusion on drive $driveLetter"
+ }
+ } else {
+ Write-Error "Could not find drive $driveLetter";
+ }
+}
+
+function Clear-FileExclusions($driveLetter) {
+
+# This function removes all UWF file exclusions on a volume
+# The file exclusions are removed the next time the device is restarted
+
+# $driveLetter is the drive letter of the volume
+
+# Get the configuration for the next session for the volume
+
+ $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
+ where {
+ $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
+ };
+
+# Remove all file and folder exclusions
+
+ if ($nextConfig) {
+ $nextConfig.RemoveAllExclusions() | Out-Null;
+ Write-Host "Cleared all exclusions for $driveLetter";
+ } else {
+ Write-Error "Could not clear exclusions for drive $driveLetter";
+ }
+}
+
+# Some examples of using the functions
+
+Clear-FileExclusions "C:"
+
+Add-FileExclusion "C:" "\Users\Public\Public Documents"
+Add-FileExclusion "C:" "\myfolder\myfile.txt"
+
+Get-FileExclusions "C:"
+
+Remove-FileExclusion "C:" "\myfolder\myfile.txt"
+
+Get-FileExclusions "C:"
+```
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md b/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md
new file mode 100644
index 0000000000..72c46d69c6
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumeaddexclusion.md
@@ -0,0 +1,56 @@
+---
+title: UWF_Volume.AddExclusion
+description: UWF_Volume.AddExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.AddExclusion
+
+Adds a file or folder to the file exclusion list for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 AddExclusion(
+ string FileName
+);
+```
+
+## Parameters
+
+**FileName**A string that contains the full path of the file or folder relative to the volume.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to add or remove file or folder exclusions during run time, and you must restart the device for new exclusions to take effect.
+
+> [!IMPORTANT]
+> You can’t add exclusions for the following items:
+>
+> - The volume root. For example, C: or D:.
+> - The \Windows folder on the system volume.
+> - The \Windows\System32 folder on the system volume.
+> - The \Windows\system32\drivers folder on the system volume.
+> - Paging files.
+
+However, you can exclude subdirectories and files under these items.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumecommitfile.md b/windows/configuration/unified-write-filter/uwf-volumecommitfile.md
new file mode 100644
index 0000000000..0487c47c19
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumecommitfile.md
@@ -0,0 +1,47 @@
+---
+title: UWF_Volume.CommitFile
+description: UWF_Volume.CommitFile
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.CommitFile
+
+Commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 CommitFile(
+ [in] string FileName
+);
+```
+
+## Parameters
+
+**FileName**\[in\] A string that contains the path of the file to commit on the overlay, but does not include the drive letter or volume name. For example, “\\users\\test.dat”.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+The *FileName* must contain the name of a file that exists. The **CommitFile** method cannot commit a file that does not exist.
+
+You must use an administrator account to change any properties or call any methods that change the configuration settings.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md b/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md
new file mode 100644
index 0000000000..ec071c4508
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumecommitfiledeletion.md
@@ -0,0 +1,47 @@
+---
+title: UWF_Volume.CommitFileDeletion
+description: UWF_Volume.CommitFileDeletion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.CommitFileDeletion
+
+Deletes the specified file and commits the deletion to the physical volume.
+
+## Syntax
+
+```powershell
+UInt32 CommitFileDeletion(
+ string FileName
+);
+```
+
+## Parameters
+
+**FileName**\[in\] A string that contains the path of the file to delete, but does not include the drive letter or volume name. For example: “\\users\\test.dat”.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+The *FileName* must contain the name of a file that exists on the physical volume. The **CommitFileDeletion** method cannot delete a file that does not exist.
+
+You must use an administrator account to call this method.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md b/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md
new file mode 100644
index 0000000000..e2cdf90060
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumefindexclusion.md
@@ -0,0 +1,48 @@
+---
+title: UWF_Volume.FindExclusion
+description: UWF_Volume.FindExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.FindExclusion
+
+Checks if a specific file or folder is in the exclusion list for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 FindExclusion (
+ [in] string FileName,
+ [out] boolean bFound
+);
+```
+
+## Parameters
+
+**FileName**\[in\] A string that contains the full path of the file or folder relative to the volume.
+
+**bFound**\[out\] Indicates if *FileName* is in the file exclusion list for the volume.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+**FindExclusion** sets *bFound* to **true** only for file and folder exclusions that have been explicitly added to the exclusion list. Files and subfolders that are in an excluded folder are not identified as excluded by **FindExclusion**, unless they have been explicitly excluded.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md b/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md
new file mode 100644
index 0000000000..b14bd1d11c
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumegetexclusions.md
@@ -0,0 +1,45 @@
+---
+title: UWF_Volume.GetExclusions
+description: UWF_Volume.GetExclusions
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.GetExclusions
+
+Gets a list of all file exclusions for a Unified Write Filter (UWF) protected volume.
+
+## Syntax
+
+```powershell
+UInt32 GetExclusions(
+ [out, EmbeddedInstance("UWF_ExcludedFile")] string ExcludedFiles[]
+);
+```
+
+## Parameters
+
+**ExcludedFiles**\[out\] An array of [UWF_ExcludedFile](uwf-excludedfile.md) objects that represent the files and folders that are excluded from UWF filtering for a volume.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+If **GetExclusions** does not find any files or folders in the file exclusion list for the volume, **GetExclusions** sets the *ExcludedFiles* parameter to null.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumeprotect.md b/windows/configuration/unified-write-filter/uwf-volumeprotect.md
new file mode 100644
index 0000000000..30283fc314
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumeprotect.md
@@ -0,0 +1,45 @@
+---
+title: UWF_Volume.Protect
+description: UWF_Volume.Protect
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.Protect
+
+Enables Unified Write Filter (UWF) to protect the volume after the next system restart, if UWF is enabled after the restart.
+
+## Syntax
+
+```powershell
+UInt32 Protect();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+UWF starts protecting the volume after the next device restart in which UWF is enabled.
+
+This method does not enable UWF if it is disabled; you must explicitly enable UWF for the next session to start volume protection.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md b/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md
new file mode 100644
index 0000000000..c85992e7ff
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumeremoveallexclusions.md
@@ -0,0 +1,45 @@
+---
+title: UWF_Volume.RemoveAllExclusions
+description: UWF_Volume.RemoveAllExclusions
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.RemoveAllExclusions
+
+Removes all files and folders from the file exclusion list for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 RemoveAllExclusions();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI errorj constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+This command does not remove registry exclusions.
+
+You must use an administrator account to remove file or folder exclusions, and you must restart the device for this change to take effect.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md b/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md
new file mode 100644
index 0000000000..6e9f3c3f24
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumeremoveexclusion.md
@@ -0,0 +1,45 @@
+---
+title: UWF_Volume.RemoveExclusion
+description: UWF_Volume.RemoveExclusion
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.RemoveExclusion
+
+Removes a specific file or folder from the file exclusion list for a volume protected by Unified Write Filter (UWF).
+
+## Syntax
+
+```powershell
+UInt32 RemoveExclusion(
+ string FileName
+);
+```
+
+## Parameters
+
+**FileName**A string that contains the full path of the file or folder relative to the volume.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+You must use an administrator account to remove file or folder exclusions, and you must restart the device for this change to take effect.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md b/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md
new file mode 100644
index 0000000000..3f2262afcd
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumesetbindbydriveletter.md
@@ -0,0 +1,50 @@
+---
+title: UWF_Volume.SetBindByDriveLetter
+description: UWF_Volume.SetBindByDriveLetter
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.SetBindByDriveLetter
+
+Sets the **BindByDriveLetter** property, which indicates if the Unified Write Filter (UWF) volume is bound to the physical volume by drive letter or volume name.
+
+## Syntax
+
+```powereshell
+UInt32 SetBindByDriveLetter(
+ boolean bBindByDriveLetter
+);
+```
+
+## Parameters
+
+**bBindByDriveLetter**A Boolean value that indicates the type of binding to use. The **BindByDriveLetter** property is set to this value.
+
+| Value | Description |
+|:------:|--------------|
+| **true** | Binds the UWF volume by the drive letter (*loose binding*). |
+| **false** | Binds the UWF volume by the volume name (*tight binding*). |
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Binding by volume name is considered more reliable than binding by drive letter, since drive letters can change for a volume if devices are added or removed.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-volumeunprotect.md b/windows/configuration/unified-write-filter/uwf-volumeunprotect.md
new file mode 100644
index 0000000000..015e73e77d
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-volumeunprotect.md
@@ -0,0 +1,43 @@
+---
+title: UWF_Volume.Unprotect
+description: UWF_Volume.Unprotect
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# UWF_Volume.Unprotect
+
+Disables UWF protection of the volume after the next system restart.
+
+## Syntax
+
+```powershell
+UInt32 Unprotect();
+```
+
+## Parameters
+
+None.
+
+## Return Value
+
+Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
+
+## Remarks
+
+Unprotecting the volume does not remove the [UWF_Volume](uwf-volume.md) entry or any configuration settings from the UWF configuration registry. This means that you can unprotect a volume, and then protect it again later, while keeping any file exclusions or volume configurations that you have defined.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [UWF_Volume](uwf-volume.md)
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md b/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md
new file mode 100644
index 0000000000..90f771ca8c
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-wes7-ewf-to-win10-uwf.md
@@ -0,0 +1,60 @@
+---
+title: Windows Embedded Systems7 Enhanced Write Filter to Windows 10 Unified Write Filter
+description: Migration of WES7 EWF to Win10 UWF
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# Windows Embedded Systems 7 Enhanced Write Filter to Windows 10 Unified Write Filter
+
+## Allow UWF swapfile (aka. DISK Overlay) to be created and used on any volume
+
+We added ability for Overlay in DISK mode to use file on any available volume unrelated to whether the volume is protected or not. The main purpose for the change is to allow booting from devices susceptible to wear by writings (such as Flash/SD/SSD devices) while redirecting the DISK overlay to less *precious* media. Prior to that change, DISK mode Overlay was exclusively restricted to OS (aka C:) volume.
+
+:::image type="content" source="images/administratorcommandprompt.png" alt-text="This is a administrator command prompt":::
+
+New subcommand `create-swapfile` was introduced under `uwfmgr.exe volume` to allow user control over the location of the DISK mode Overlay swapfile. This command requires volume DOS name (such as C:, D:, and so on.) or volume GUID as argument. The initial size of the file is deduced from the size of the Overlay at the time and may be later changed by issuing `uwfmgr.exe overlay set-size` subcommand.
+The new subcommand `create-swapfile` is only allowed when UWF filter is disabled and UWF Overlay is in DISK mode.
+
+## Read Only Media mode
+
+Read Only Mode allows elimination of all and any writes to the physical storage device, even metadata writes that does not have any effect on a files content. Read Only Media mode can be easily configured using UWF to get into it and out of it. The new functionality supports many popular scenarios that users of legacy WES7 EWF volume-based filter used.
+The new subcommand `set-rom-mode` was introduced under `uwfmgr.exe. overlay` to allow the user to enable/disable Read-Only Media mode.
+
+:::image type="content" source="images/administratorcompactprompt.png" alt-text="This is a administrator compact prompt":::
+
+This subcommand requires `on` or `off` argument. Read-Only Media mode can be enabled only when UWF is currently disabled. The mode can be disabled, if UWF is currently enabled, but after `off` command is issued there is no way to re-enable Read-Only Media mode until the next reboot. Also, UWF can be enabled/disabled while in Read-Only Media mode, but such *state change* results in files and/or metadata to be changed on physical device protected by UWF.
+
+> [!NOTE]
+>
+>- After enabling Read-Only Media mode, all writes will be filtered out as earlier as next reboot, so anything that is written until then may cause changes on the physical device.
+>- All existing exclusions are ignored (nonfunctional) and no file/registry commits are possible in Read Only Media mode. See Full Volume Commit in this document).
+>- Enabling Read Only Media mode is only possible when UWF is configured to use RAM overlay.
+
+:::image type="content" source="images/overlaysettings.png" alt-text="This is a overlay settings":::
+
+UWF CSP provider was updated by allowing setting new bit (0x4) in CFG_DATATYPE_INTEGER UnifiedWriteFilter\NextSession\OverlayFlags property.
+
+After the implementation of Read-Only Media mode we were able to make HORM mode transitions significantly more consistent, safe, and reliable. To enable HORM mode, UWF must be configured and booted into Read Only Media mode, which eliminates the need for user to care about exclusions and situation where HORM enablement is not possible by other reasons.
+
+### Full Volume Commit in Read-Only Media mode
+
+After introduction of Read-Only Media mode, we were able to implement ability to commit entire state of the UWF protected volumes to the physical disk at once, which was architecturally impossible before in presence of active file/registry exclusions.
+
+The new subcommand `commit` was introduced under `uwfmgr.exe overlay` to allow the user to commit all accumulated changes since, previous boot and all following changes until next reboot to the underlying physical device. After successful `full volume commit` and until the next reboot OS behaves like being totally unprotected. Protection is restored on the next reboot.
+
+:::image type="content" source="images/administratorprompt.png" alt-text="This is a administrator prompt":::
+
+> [!NOTE]
+>
+>- UWF must be enabled and configured in Read-Only Media mode
+>- UWF must not be in HORM mode:
+> HORM mode cannot be enabled after Full Volume Commit and before the next reboot.
+>
+>- UWF can be disabled after Full Volume Commit
+
+UWF CSP provider was updated by adding read/write CFG_DATATYPE_BOOLEAN `UnifiedWriteFilter\CurrentSession\OverlayCommit` property, which indicates if Full Overlay Commit was issued after the last boot. Setting that property from zero (FALSE) to non-zero value (TRUE) causes immediate Full Volume Commit to be performed. Setting this property to zero (FALSE) if its current value is non-zero (TRUE) is not allowed.
+
+Customer can easily determine `Full Volume Commit` state by checking current configuration (for example, uwfmgr get-config):
+
+:::image type="content" source="images/fullvolumecommit.png" alt-text="This is a full volume commit":::
diff --git a/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md b/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md
new file mode 100644
index 0000000000..81c39bca3e
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwf-wmi-provider-reference.md
@@ -0,0 +1,43 @@
+---
+title: Unified Write Filter WMI provider reference
+description: Unified Write Filter WMI provider reference
+ms.date: 05/20/2024
+ms.topic: reference
+---
+
+# Unified Write Filter WMI provider reference
+
+To help protect physical storage media, you can use the WMI providers for Unified Write Filter (UWF) to configure UWF.
+
+This section describes the WMI provider classes for UWF.
+
+## In this section
+
+| Classes | Description |
+|---------|-------------|
+| [UWF_ExcludedFile](uwf-excludedfile.md) | A container class that contains the files and folders that are currently in the file exclusion list for a volume protected by UWF.|
+| [UWF_ExcludedRegistryKey](uwf-excludedregistrykey.md) | A container class that contains the registry keys that are currently in the registry key exclusion list for UWF. |
+| [UWF_Filter](uwf-filter.md) | Enables or disables Unified Write Filter (UWF), resets configuration settings for UWF, and shuts down or restarts your device. |
+| [UWF_Overlay](uwf-overlay.md) | Contains the current size of the UWF overlay and manages the critical and warning thresholds for the overlay size. |
+| [UWF_OverlayConfig](uwf-overlayconfig.md) | Manages the configuration of the UWF overlay. |
+| [UWF_OverlayFile](uwf-overlayfile.md) | Displays and configures global settings for the UWF overlay. You can modify the maximum size and the type of the UWF overlay. |
+| [UWF_RegistryFilter](uwf-registryfilter.md) | Adds or removes registry exclusions from UWF filtering. |
+| [UWF_Servicing](uwf-servicing.md) | Contains properties and methods that enable you to query and control UWF servicing mode. |
+| [UWF_Volume](uwf-volume.md) | Manages a volume protected by UWF. |
+
+> [!NOTE]
+> We recommend setting the authentication level to PacketIntegrity or PacketPrivacy for remote clients when you connect to WMI providers under root\\standardcimv2\\embedded when using WMI scripts or applications. For more information about how to use authentication with WMI providers, see this [WMI Enhancements in Windows PowerShell 2.0 CTP](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730973(v=technet.10)) on TechNet.
+
+## Requirements
+
+| Windows Edition | Supported |
+|:-----------------------|:---------:|
+| Windows Home | No |
+| Windows Pro | No |
+| Windows Enterprise | Yes |
+| Windows Education | Yes |
+| Windows IoT Enterprise | Yes |
+
+## Related articles
+
+- [uwfmgr.exe](uwfmgrexe.md)
diff --git a/windows/configuration/unified-write-filter/uwfexclusions.md b/windows/configuration/unified-write-filter/uwfexclusions.md
new file mode 100644
index 0000000000..a2e371583f
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwfexclusions.md
@@ -0,0 +1,189 @@
+---
+title: Common write filter exclusions
+description: Common write filter exclusions
+ms.date: 08/11/2023
+ms.topic: reference
+---
+
+# Write filter exclusions
+
+You can add specific files or folders on a protected volume to a file exclusion list. When a file or folder is in the exclusion list all writes to that file or folder persists through a device restart.
+
+You must use an administrator account to add or remove file or folder exclusions during run time, and you must restart the device for new exclusions to take effect.
+
+> [!IMPORTANT]
+> Adding files and folders to exclusions will not reduce overlay consumption. Exclusions are intended to allow small amounts of data and configuration to persist after the device restarts.
+>
+> Don't add exclusions for the following:
+>
+> - \Windows\System32\config\DEFAULT
+> - \Windows\System32\config\SAM
+> - \Windows\System32\config\SECURITY
+> - \Windows\System32\config\SOFTWARE
+> - \Windows\System32\config\SYSTEM
+> - \Users\\NTUSER.DAT
+> - \Windows\BOOTSTAT.DAT
+> - %System Drive%\EFI\Microsoft\Boot\BOOTSTAT.DAT
+> - %System Drive%\Boot\BOOTSTAT.DAT
+>
+> Also, don't add exclusions for the following:
+>
+> - The volume root. For example, C: or D:.
+> - The `\Windows` folder on the system volume.
+> - The `\Windows\System32` folder on the system volume.
+> - The `\Windows\System32\Drivers` folder on the system volume.
+> - Paging files.
+>
+> Adding an exclusion for any of these items is unsupported and may lead to unpredictable results.
+> It's OK to exclude subdirectories and files under these locations.
+>
+> Folders need to exist prior to adding them to the exclusion list.
+>
+
+You can't rename or move a file or folder from a protected location to an unprotected location, or vice versa. An error occurs if you attempt to delete a file folder in the exclusion list on a write filter protected volume. In this case, Windows attempts to move the file or folder to the Recycle Bin. The Recycle Bin isn't in the exclusion list. You can't move files that are in the exclusion list to a location that is write filter protected.
+
+You can work around this error using one of the following options:
+
+- Disable the Recycle Bin
+- User can press Ctrl+Shift and then left-click on the file to directly delete the excluded file to bypass the Recycle Bin.
+- User can delete the excluded file directly from a command prompt.
+
+You must restart the device for new exclusions to take effect.
+
+## Virtual Hard Disk (VHD) file exclusions
+
+When you deploy a Windows image with UWF on a VHD boot disk, you can protect the volume that contains the VHD file by adding a file exclusion for the VHD file before enabling UWF and protecting the volume.
+
+To add a file exclusion for the VHD file at an administrator command prompt:
+
+```cmd
+uwfmgr.exe file add-exclusion :\\.vhd
+```
+
+For example:
+
+```cmd
+uwfmgr.exe file add-exclusion E:\VHD\test.vhd
+```
+
+## Registry exclusions
+
+You can add specific registry keys to an exclusion list to exclude those keys from UWF protection. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
+
+You must use an administrator account to add or remove registry exclusions during run time, and you must restart the device for new exclusions to take effect.
+
+If you exclude a registry key, all its subkeys are also excluded from filtering. You can exclude registry subkeys only under the following registry keys:
+
+- `HKEY\LOCAL\MACHINE\BCD00000000`
+- `HKEY\LOCAL\MACHINE\SYSTEM`
+- `HKEY\LOCAL\MACHINE\SOFTWARE`
+- `HKEY\LOCAL\MACHINE\SAM`
+- `HKEY\LOCAL\MACHINE\SECURITY`
+- `HKEY\LOCAL\MACHINE\COMPONENTS`
+
+> [!IMPORTANT]
+> Don't add exclusions for the following:
+>
+> - `HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC`
+
+> [!NOTE]
+> UWF automatically excludes certain registry keys from being filtered. These registry keys are primarily related to UWF configuration settings and cannot be removed from the exclusion list.
+
+For more information about common registry exclusions, see [Common write filter exclusions](uwfexclusions.md).
+
+## Common write-filter exclusions
+
+Some services and features write information to a device’s persistent volume, and expect that information to be present across device restarts. You may need to configure your write filter to allow for specific file and registry exclusions in order for these services and features to work correctly.
+
+This article lists registry and file exclusions that can help enable some common services and features to work correctly when write filters are enabled.
+
+If you're running any antivirus or security software in addition to UWF, consult with your antivirus vendor for advice on how to configure their solution in a UWF environment. You may need to add a UWF exclusion for the signature or update folder.
+
+### Customer Experience Improvement Program (CEIP)
+
+When you choose to participate in the CEIP, your computer or device automatically sends information to Microsoft about how you use certain products. Information from your computer or device is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often.
+
+CEIP data is stored in files that have a `.sqm` file name extension. To make sure that the CEIP data in the `.sqm` files is available on a device that has write filters enabled, you can add file and folder exclusions for the `.sqm` files and folders.
+
+To locate the `.sqm` files and folders on your device, search for `.sqm` files by using File Explorer. Alternately, at a command prompt with administrator rights at the root of the drive, type the following command to obtain a list of `.sqm` files on the device:
+
+```powershell
+dir *.sqm /s
+```
+
+Add file and folder exclusions as required for any `.sqm` files located on your device.
+
+Add registry exclusions for the following registry keys:
+
+- `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable`
+- `HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\CEIPEnable`
+- `HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\UploadDisableFlag`
+
+### Background Intelligent Transfer Service (BITS)
+
+Background Intelligent Transfer Service (BITS) downloads or uploads files between a client and server and provides progress information related to the transfers.
+
+Add file exclusions for the following folders and files:
+
+- `%ALLUSERSPROFILE%*\Microsoft\Network\Downloader`
+
+Add registry exclusions for the following registry keys:
+
+- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex`
+
+### Windows Explorer
+
+If you attempt to delete an excluded file or folder on a protected volume using Windows Explorer, you experience an error. In this case, Windows attempt to move the file or folder to the Recycle Bin, which isn't in the exclusion list. The write filter doesn't support moving a file or folder in the exclusion list to a location that is write filter protected.
+
+You can work around this error using one of the following options:
+
+- Disable the Recycle Bin
+- User can press Ctrl+Shift and then left-click on the file to directly delete the excluded file to bypass the Recycle Bin.
+- User can delete the excluded file directly from a command prompt.
+
+### Networks
+
+When you use write filters on your device, you can add file and registry exclusions to enable your device to join wired and wireless networks. The following file and registry exclusions may be required on your device.
+
+Client Group Policy Object (GPO) registry keys:
+
+- Wireless: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy`
+- Wired: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy`
+
+GPO policy files:
+
+- Wireless: `C:\Windows\wlansvc\Policies`
+- Wired: `C:\Windows\dot2svc\Policies`
+
+Interface profile registry keys:
+
+- Wireless: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc`
+- Wired: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc`
+
+Interface policy file:
+
+- Wireless: `C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces\{***<Interface GUID>***}\{***<Profile GUID>***}.xml`
+- Wired: `C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces\{***<Interface GUID>***}\{***<Profile GUID>***}.xml`
+
+Services registry keys:
+
+- Wireless: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc`
+- Wireless: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc`
+- Wired: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc`
+
+> [!IMPORTANT]
+> Folders need to exist prior to adding them to the exclusion list.
+>
+
+### Daylight saving time (DST)
+
+You can add the following registry exclusions to persist daylight saving time (DST) settings on your device.
+
+- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones`
+- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
+- [Service UWF-protected devices](service-uwf-protected-devices.md)
+- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
diff --git a/windows/configuration/unified-write-filter/uwfmgrexe.md b/windows/configuration/unified-write-filter/uwfmgrexe.md
new file mode 100644
index 0000000000..81f17dbbf7
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwfmgrexe.md
@@ -0,0 +1,214 @@
+---
+title: uwfmgr.exe
+description: uwfmgr.exe
+ms.date: 10/02/2018
+ms.topic: reference
+---
+
+# uwfmgr.exe
+
+The UWFMgr tool can be used at the command-line or in PowerShell to configure and retrieve settings for [Unified Write Filter (UWF)]( index.md).
+
+> [!IMPORTANT]
+> Users with standard accounts can use commands that retrieve information, but only users who have administrator accounts can use commands that change the configuration settings.
+
+## Syntax
+
+```powershell
+uwfmgr.exe
+ Help | ?
+ Get-Config
+ Filter
+ Help | ?
+ Enable
+ Disable
+ Reset-Settings
+ Shutdown
+ Restart
+ Volume
+ Help | ?
+ Get-Config { | all}
+ Protect { | all}
+ Unprotect
+ File
+ Help | ?
+ Get-Exclusions { | all}
+ Add-Exclusion
+ Remove-Exclusion
+ Commit
+ Commit-Delete
+ Registry
+ Help | ?
+ Get-Exclusions
+ Add-Exclusion
+ Remove-Exclusion
+ Commit []
+ Commit-Delete []
+ Overlay
+ Help | ?
+ Get-Config
+ Get-AvailableSpace
+ Get-Consumption
+ Set-Size
+ Set-Type {RAM | DISK}
+ Set-WarningThreshold
+ Set-CriticalThreshold
+ Set-Passthrough
+ Set-Persistent
+ Reset-PersistentState
+ Servicing
+ Enable
+ Disable
+ Update-Windows
+ Get-Config
+ Help
+```
+
+## Location
+
+**Uwfmgr** can be found under the %WINDIR%\\System32\\ folder.
+
+## Command-line options and parameters
+
+The following list describes the options and sub-options that are available to use in **uwfmgr.exe**, and it lists the corresponding WMI class or method for each command-line option and sub-option (if available).
+
+- **Help | ?**
+ - Displays command-line help for basic parameters for **uwfmgr.exe**.
+- **Get-Config**
+ - Displays UWF configuration settings for the current and next session.
+- **Filter**
+ - Configures basic UWF settings.
+ - [UWF_Filter](uwf-filter.md)
+ - *Enable*
+ - Enables UWF protection for the next session after a system restart.
+ - [UWF_Filter.Enable](uwf-filterenable.md)
+ - *Disable*
+ - Disables UWF protection for the next session after a system restart.
+ - [UWF_Filter.Disable](uwf-filterdisable.md)
+ - *Reset-Settings*
+ - Restores UWF settings to the original state.If you added UWF to your image by using **Turn Windows features on or off** or by using DISM, the original state is the state of UWF settings when UWF was first enabled. If you added UWF to your image by using SMI settings in an unattend file, the original state is the state of UWF settings when Windows was installed on the device. **Starting in Windows 10, this command is no longer supported.**
+ - [UWF_Filter.ResetSettings](uwf-filterresetsettings.md)
+ - *Shutdown*
+ - Shuts down the device immediately, even if the overlay is full or near full. Administrator-level permissions are required to use this command.
+ - [UWF_Filter.ShutdownSystem](uwf-filtershutdownsystem.md)
+ - *Restart*
+ - Shuts down the device immediately and restarts, even if the overlay is full or near full. Administrator-level permissions are required to use this command.
+ - [UWF_Filter.RestartSystem](uwf-filterrestartsystem.md)
+- **Volume**
+ - Configures settings for volumes protected by UWF. If the *<volume>* argument is needed, you can specify a drive letter (for example, `uwfmgr.exe volume protect C:`), or else you can specify all volumes (for example, `uwfmgr.exe volume get-config all`).
+ - [UWF_Volume](uwf-volume.md)
+ - *Help | ?*
+ - Displays command-line help for the `uwfmgr.exe volume` command.
+ - *Get-Config* {*<volume>* | all}
+ - Displays configuration settings and file exclusions for the specified volume, or all volumes if **all** is specified. Displays information for both the current and the next session.
+ - [UWF_Volume](uwf-volume.md)
+ - *Protect* {*<volume>* | all}
+ - Adds the specified volume to the list of volumes that are protected by UWF. UWF starts protecting the volume after the next system restart if UWF filtering is enabled.
+ - [UWF_Volume.Protect](uwf-volumeprotect.md)
+ - *Unprotect* *<volume>*
+ - Removes the specified volume from the list of volumes that are protected by UWF. UWF stops protecting the volume after the next system restart.
+ - [UWF_Volume.Unprotect](uwf-volumeunprotect.md)
+- **File**
+ - Configures file exclusion settings for UWF. If you use the *<file>* argument, it must be fully qualified, including the volume and path. **uwfmgr.exe** uses the volume specified in the *<file>* argument to determine which volume contains the file exclusion list for the file.
+ - [UWF_Volume](uwf-volume.md)
+ - *Help | ?*
+ - Displays command-line help for the `uwfmgr.exe file` command.
+ - *Get-Exclusions* {*<volume>* | all}
+ - Displays all files and directories in the exclusion list for the specified volume (for example, `uwfmgr.exe file Get-Exclusions C:`), or all volumes if **all** is specified. Displays information for both the current and the next session.
+ - [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md)
+ - *Add-Exclusion* *<file>*
+ - Adds the specified file to the file exclusion list of the volume protected by UWF. UWF starts excluding the file from filtering after the next system restart.
+ - [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md)
+ - *Remove-Exclusion* *<file>*
+ - Removes the specified file from the file exclusion list of the volume protected by UWF. UWF stops excluding the file from filtering after the next system restart.
+ - [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md)
+ - *Commit* *<file>*
+ - Commits changes to a specified file to overlay for a UWF-protected volume. Administrator-level permissions are required to use this command.
+ - [UWF_Volume.CommitFile](uwf-volumecommitfile.md)
+ - *Commit-Delete* *<file>*
+ - Deletes the specified file from both the overlay and the physical volume. Administrator-level permissions are required to use this command.
+ - [UWF_Volume.CommitFileDeletion](uwf-volumecommitfiledeletion.md)
+- **Registry**
+ - Configures registry key exclusion settings for UWF.
+ - [UWF_RegistryFilter](uwf-registryfilter.md)
+ - *Help | ?*
+ - Displays command-line help for the `uwfmgr.exe registry` command.
+ - *Get-Exclusions*
+ - Displays all registry keys in the registry exclusion list. Displays information for both the current and the next session.
+ - [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md)
+ - *Add-Exclusion<key>*
+ - Adds the specified registry key to the registry exclusion list for UWF. UWF starts excluding the registry key from filtering after the next system restart.
+ - [UWF_RegistryFilter.AddExclusion](uwf-registryfilteraddexclusion.md)
+ - *Remove-Exclusion* *<key>*
+ - Removes the specified registry key from the registry exclusion list for UWF. UWF stops excluding the registry key from filtering after the next system restart.
+ - [UWF_RegistryFilter.RemoveExclusion](uwf-registryfilterremoveexclusion.md)
+ - *Commit* *<key> <value>*
+ - Commits changes to the specified key and value. Administrator-level permissions are required to use this command.
+ - [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md)
+ - *Commit-Delete* *<key> \[<value>\]*
+ - Deletes the specified registry key and value and commits the deletion. Deletes all values and subkeys if the value is empty, and commits the deletion. Administrator-level permissions are required to use this command.
+ - [UWF_RegistryFilter.CommitRegistryDeletion](uwf-registryfiltercommitregistrydeletion.md)
+- **Overlay**
+ - Configures settings for the UWF overlay.
+ - [UWF_Overlay](uwf-overlay.md) and [UWF_OverlayConfig](uwf-overlayconfig.md)
+ - *Help | ?*
+ - Displays command-line help for the `uwfmgr.exe overlay` command.
+ - *Get-Config*
+ - Displays configuration settings for the UWF overlay. Displays information for both the current and the next session.
+ - [UWF_Overlay](uwf-overlay.md) and [UWF_OverlayConfig](uwf-overlayconfig.md)
+ - *Get-AvailableSpace*
+ - Displays the amount of space remaining that is available for the UWF overlay.
+ - [UWF_Overlay](uwf-overlay.md)
+ - *Get-Consumption*
+ - Displays the amount of space currently used by the UWF overlay.
+ - [UWF_Overlay](uwf-overlay.md)
+ - *Set-Size* *<size>*
+ - Sets the maximum size of the UWF overlay, in megabytes, for the next session after a system restart.
+ - [UWF_OverlayConfig.SetMaximumSize](uwf-overlayconfigsetmaximumsize.md)
+ - *Set-Type* {*RAM | DISK*}
+ - Sets the type of the overlay storage to RAM-based or disk-based. UWF must be disabled in the current session to set the overlay type to disk-based.
+ - [UWF_OverlayConfig.SetType](uwf-overlayconfigsettype.md)
+ - *Set-WarningThreshold* *<size>*
+ - Sets the overlay size, in megabytes, at which the driver issues warning notifications for the current session.
+ - [UWF_Overlay.SetWarningThreshold](uwf-overlaysetwarningthreshold.md)
+ - *Set-CriticalThreshold* *<size>*
+ - Sets the overlay size, in megabytes, at which the driver issues critical notifications for the current session.
+ - [UWF_Overlay.SetCriticalThreshold](uwf-overlaysetcriticalthreshold.md)
+ - *Set-Passthrough* **
+ - Turns the [free space passthrough](uwfoverlay.md#freespace-passthrough-recommended) on or off, allowing UWF to use free space outside of the reserved space when available.
+ - *Set-Persistent* **
+ - Sets the overlay as a [persistent overlay](uwfoverlay.md#persistent-overlay), allowing users to keep using their data after a reboot.
+ - *Reset-PersistentState* **
+ - Clears a persistent overlay on the next boot (on/off).
+
+- **Servicing**
+ - Configures settings for UWF servicing mode.
+ - [UWF_Servicing](uwf-servicing.md)
+ - *Enable*
+ - Enables servicing mode in the next session after a restart. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.Enable](uwf-servicingenable.md)
+ - *Disable*
+ - Disables UWF servicing mode in the next session after a restart. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.Disable](uwf-servicingdisable.md)
+ - *Update-Windows*
+ - Stand-alone command to apply Windows updates to a device. Called by the master servicing script that is called by the `uwfmgr.exe servicing enable` command. We recommend that you use the `uwfmgr.exe servicing enable` command to service your UWF–protected device whenever possible. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.UpdateWindows](uwf-servicingupdatewindows.md)
+ - *Get-Config*
+ - Displays UWF servicing mode information for the current session and the next session.
+ - [UWF_Servicing](uwf-servicing.md)
+ - *Help*
+ - Displays command-line help for the `uwfmgr.exe servicing` command.
+
+## Unsupported WMI methods
+
+The following list contains the UWF WMI provider methods that are not currently supported by the **uwfmgr.exe** tool:
+
+- [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md)
+- [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md)
+- [UWF_Volume.FindExclusion](uwf-volumefindexclusion.md)
+- [UWF_Volume.RemoveAllExclusions](uwf-volumeremoveallexclusions.md)
+- [UWF_Volume.SetBindByDriveLetter](uwf-volumesetbindbydriveletter.md)
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwfoverlay.md b/windows/configuration/unified-write-filter/uwfoverlay.md
new file mode 100644
index 0000000000..01c2c8cb3b
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwfoverlay.md
@@ -0,0 +1,133 @@
+---
+title: Overlay for Unified Write Filter (UWF)
+description: Overlay for Unified Write Filter (UWF)
+ms.date: 10/02/2018
+ms.topic: reference
+---
+
+# Unified Write Filter (UWF) overlay location and size
+
+The Unified Write Filter (UWF) protects the contents of a volume by intercepting write attempts to a protected volume and redirects those write attempts to a virtual overlay.
+
+You can choose where the overlay is stored (RAM or disk), how much space is reserved, and what happens when the overlay fills up.
+
+To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device.
+
+## RAM overlay vs. disk overlay
+
+- **RAM overlay (default)**: The virtual overlay is stored in RAM, and is cleared after a reboot.
+
+ - By writing to RAM, you can reduce the wear on write-sensitive media like solid-state drives.
+ - RAM is often more limited than drive space. As the drive overlay fills up the available RAM, device performance could be reduced, and users will eventually be prompted to reboot the device. If your users are expected to make many large writes to the overlay, consider using a disk overlay instead.
+
+- **Disk overlay**: The virtual overlay is stored in a temporary location on the drive. By default, the overlay is cleared on reboot.
+
+ - You can use [freespace passthrough](#freespace-passthrough-recommended) to use additional free space on the drive beyond the reserved virtual overlay space.
+ - On Windows 10, version 1803, you can use [persistent overlay](#persistent-overlay) to allow users to save work in the virtual overlay even after a reboot.
+
+## Overlay size
+
+- Default=1024MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-size`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/MaximumOverlaySize`
+ - [WMI](uwf-overlayconfigsetmaximumsize.md): `UWF\Overlay.SetMaximumSize`
+
+When planning device rollouts, we recommend optimizing the overlay size to fit your needs.
+
+For RAM overlays, you'll need to budget some RAM for the system. For example, if the OS requires 2 GB of RAM, and your device has 4 GB of RAM, set the maximum size of the overlay to 2048MB (2 GB) or less.
+
+We recommend enabling UWF on a test device, installing the necessary apps, and putting the device through usage simulations. You can use this Powershell script to find out which files are consuming space:
+
+```powershell
+$wmiobject = get-wmiobject -Namespace "root\standardcimv2\embedded" -Class UWF_Overlay
+$files = $wmiobject.GetOverlayFiles("c:")
+$files.OverlayFiles | select-object -Property FileName,FileSize | export-csv -Path D:\output.csv
+```
+
+The amount of overlay used will depend on:
+
+- Device usage patterns.
+- Apps that can be accessed. (Some apps have high write volumes and will fill up the overlay faster.)
+- Time between resets.
+- When files are deleted, UWF removes them from the overlay and returns the freed resources to the available pool.
+
+### Warnings and critical events
+
+As the drive overlay fills up the available space, you can warn your users that they're running out of space, and prompt them to reboot the device or to run a script to clear the overlay.
+
+1. Set warning levels and critical levels (optional). When the overlay is filled to this value, UWF writes an Event Tracing for Windows (ETW) message.
+
+ - **Warning level**: Default=512MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-warningthreshold`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/WarningOverlayThreshold`
+ - [WMI](uwf-overlaysetwarningthreshold.md): `UWF_Overlay.SetWarningThreshold`
+ - **Critical level**: Default=1024MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-criticalthreshold`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/CriticalOverlayThreshold`
+ - [WMI](uwf-overlaysetcriticalthreshold.md): `UWF_Overlay.SetCriticalThreshold`
+
+ Note, these settings will take affect after the next reboot.
+
+1. Use Task Scheduler to detect the ETW message and to warn users to wrap up their work on the device so they do not lose their content before the overlay is cleared. You can also provide a link to script to clear the contents of the overlay.
+
+ Create tasks that trigger on the event that the **System** log receives an event ID from **uwfvol**:
+
+ | Overlay usage | Source | Level | Event ID |
+ |---------------------|---------|-------------|----------|
+ | Warning threshold | uwfvol | Warning | 1 |
+ | Critical threshold | uwfvol | Error | 2 |
+ | Back to normal | uwfvol | Information | 3 |
+
+1. Reboot the device.
+
+### Freespace passthrough (recommended)
+
+On devices with a disk overlay, you can use freespace passthrough to access your drive's additional free space.
+
+You'll still need to reserve some space on the disk for the overlay. This space is used to manage the overlay, and to store overwrites, such as system updates. All other writes are sent to free space on disk. Over time, the reserved overlay will grow slower and slower, because overwrites will just keep replacing one another.
+
+On devices with a RAM overlay, you can also use freespace passthrough to access your drive's additional free space to reduce overlay usage.
+However, freespace passthrough is not recommended for use with a RAM overlay because it does not reduce wear on write-sensitive media like solid-state drives.
+
+- [CMD](uwfmgrexe.md): uwfmgr overlay set-passthrough (on|off)
+
+### Persistent overlay
+
+> [!NOTE]
+> This mode is experimental, and we recommend thoroughly testing it before deploying to multiple devices. This option is not used by default.
+
+On devices with a disk overlay, you can choose to keep working using the overlay data, even after a reboot. This can be helpful in situations where your guest users may need to access for longer periods, and may need to power off the device between uses.
+
+This option gives your IT department more control over when the overlay is reset. You can also provide your users with scripts that will help them reset the overlay on demand.
+
+To turn persistent overlay on or off:
+
+- [CMD](uwfmgrexe.md): uwfmgr overlay set-persistent (on|off)
+
+To reset the overlay:
+
+- [CMD](uwfmgrexe.md): `uwfmgr overlay reset-persistentstate on`
+
+### Overlay exhaustion
+
+If the size of the overlay is close to or equal to the maximum overlay size, any write attempts will fail, returning an error indicating that there is not enough space to complete the operation. If the overlay on your device reaches this state, your device may become unresponsive and sluggish, and you may need to restart your device.
+
+When Windows shuts down, it attempts to write a number of files to the disk. If the overlay is full, these write attempts fail, causing Windows to attempt to rewrite the files repeatedly until UWF can determine that the device is trying to shut down and resolve the issue. Attempting to shut down by using normal methods when the overlay is full or near to full can result in the device taking a long time, in some cases up to an hour or longer, to shut down.
+
+You can often avoid this issue by using UWF to automatically initiate the shut down or restart:
+
+- **Shut down**:
+ - [CMD](uwfmgrexe.md): `uwfmgr shutdown`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `ShutdownSystem`
+ - [WMI](uwf-filtershutdownsystem.md): `UWF\Filter.ShutdownSystem`
+
+- **Restart**:
+ - [CMD](uwfmgrexe.md): `uwfmgr restart`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `RestartSystem`
+ - [WMI](uwf-filterrestartsystem.md): `UWF\Filter.RestartSystem`
+
+Windows 10 19H1 and later will automatically restart if the maximum size of the overlay is exceeded.
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwftroubleshooting.md b/windows/configuration/unified-write-filter/uwftroubleshooting.md
new file mode 100644
index 0000000000..b2b1465444
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwftroubleshooting.md
@@ -0,0 +1,33 @@
+---
+title: Troubleshooting Unified Write Filter (UWF)
+description: Troubleshooting Unified Write Filter (UWF)
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# Troubleshooting Unified Write Filter (UWF)
+
+Review the log files and error message information locations for Unified Write Filter (UWF) on your Windows 10 Enterprise device.
+
+If you are having difficulties configuring Unified Write Filter (UWF) on your device, see the following information about how to find event log and error message information for troubleshooting problems with UWF.
+
+## Event logs
+
+UWF uses Windows Event Log to log events, errors and messages.
+
+* Events related to overlay consumption are sent by UWF kernel mode components and are logged in the **Windows Logs\\System** event log.
+* Event related to configuration changes and servicing logs are sent by UWF user mode components:
+ * Error messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Admin** event log.
+ * Informational messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Operational** event log.
+
+## Related articles
+
+[Unified Write Filter]( index.md)
+
+[Common write filter exclusions](uwfexclusions.md)
+
+[Service UWF-protected devices](service-uwf-protected-devices.md)
+
+[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+
+[uwfmgr.exe](uwfmgrexe.md)
diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md
index 6c056b86f1..c16b4fb35a 100644
--- a/windows/configuration/windows-spotlight/index.md
+++ b/windows/configuration/windows-spotlight/index.md
@@ -2,7 +2,7 @@
title: Configure Windows spotlight
description: Learn how to configure Windows spotlight using Group Policy and mobile device management (MDM) settings.
ms.topic: how-to
-ms.date: 04/23/2024
+ms.date: 12/05/2024
ms.author: paoloma
author: paolomatarazzo
appliesto:
@@ -21,6 +21,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug
:::image type="content" source="images/lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows Spotlight enabled." border="false":::
+> [!NOTE]
+> After installing the [KB5046633 (October 22, 2024)](https://support.microsoft.com/topic/22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, use the [AllowSpotlightCollection policy setting](#policy-settings), or configure a custom lock screen and background image.
+
::: zone-end
::: zone pivot="windows-10"
@@ -31,6 +34,9 @@ Windows spotlight is a feature that displays different wallpapers and offers sug
:::image type="content" source="images/lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows Spotlight enabled." border="false":::
+> [!NOTE]
+> After installing the [KB5048652 (December 10, 2024)](https://support.microsoft.com/topic/19045-5247-454fbd4c-0723-449e-915b-8515ab41f8e3), the default Windows wallpaper changes to Windows spotlight. To modify this behavior, configure a custom lock screen and background image.
+
::: zone-end
## Windows edition and licensing requirements
diff --git a/windows/deployment/do/mcc-ent-deploy-to-linux.md b/windows/deployment/do/mcc-ent-deploy-to-linux.md
index 0fc31cdf23..8280d47b34 100644
--- a/windows/deployment/do/mcc-ent-deploy-to-linux.md
+++ b/windows/deployment/do/mcc-ent-deploy-to-linux.md
@@ -26,6 +26,10 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+ >[!Note]
+ >* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Run the provisioning command on the host machine.
@@ -42,6 +46,10 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+ >[!Note]
+ >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Replace the values in the following provisioning command before running it on the host machine.
diff --git a/windows/deployment/do/mcc-ent-deploy-to-windows.md b/windows/deployment/do/mcc-ent-deploy-to-windows.md
index ba27a5f82f..275b637871 100644
--- a/windows/deployment/do/mcc-ent-deploy-to-windows.md
+++ b/windows/deployment/do/mcc-ent-deploy-to-windows.md
@@ -17,7 +17,7 @@ appliesto:
This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Windows host machine.
-Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
+Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [local user account](https://support.microsoft.com/topic/20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
Before deploying Connected Cache to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource](mcc-ent-create-resource-and-cache.md).
@@ -26,14 +26,25 @@ Before deploying Connected Cache to a Windows host machine, ensure that the host
# [Azure portal](#tab/portal)
1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
-1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the archive onto the host machine.
+
+ >[!Note]
+ >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
+
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+ >[!Note]
+ >* If you are deploying your cache node to a Windows host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePemFileName "mycert.pem"` to the provisioning command.
+
1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
-1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
+1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
- For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+ For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
- If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+ If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
+
+ >[!Note]
+ >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
1. Run the provisioning command on the host machine.
@@ -48,22 +59,33 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
```
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
-1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine.
+
+ >[!Note]
+ >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
+
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+ >[!Note]
+ >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePath "path/to/pem/file"` to the provisioning command.
+
1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
-1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
+1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
- For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+ For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, the `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
- If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+ If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
-1. Replace the values in the following provisioning command before running it on the host machine. **Note**: `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you're using a Local User account as the Connected Cache runtime account.
+ >[!Note]
+ >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
+
+1. Replace the values in the following provisioning command before running it on the host machine.
```powershell-interactive
./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size" -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]" -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential
```
----
+---
## Steps to point Windows client devices at Connected Cache node
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index 125aed12f4..a09f4f9a76 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -29,9 +29,9 @@ Microsoft Connected Cache deployed directly to Windows relies on [Windows Subsys
## Supported scenarios and configurations
-Microsoft Connected Cache for Enterprise and Education (preview) is intended to support the following content delivery scenarios:
+Microsoft Connected Cache for Enterprise and Education (preview) is intended to support all Windows cloud downloads that use Delivery Optimization including, but not limited to, the following content delivery scenarios:
-- Pre-provisioning of devices using Windows Autopilot
+- Windows Autopilot deployment scenarios
- Co-managed clients that get monthly updates and Win32 apps from Microsoft Intune
- Cloud-only managed devices, such as Intune-enrolled devices without the Configuration Manager client, that get monthly updates and Win32 apps from Microsoft Intune
diff --git a/windows/deployment/do/mcc-ent-monitoring.md b/windows/deployment/do/mcc-ent-monitoring.md
index 9a4894896e..98c00bdcf4 100644
--- a/windows/deployment/do/mcc-ent-monitoring.md
+++ b/windows/deployment/do/mcc-ent-monitoring.md
@@ -18,25 +18,25 @@ ms.date: 10/30/2024
Tracking the status and performance of your Connected Cache node is essential to making sure you're getting the most out of the service.
-For basic monitoring, navigate to the **Overview** tab. Here you'll be able to view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed.
+For basic monitoring, navigate to the **Overview** tab. Here you can view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed. You can view more details about each cache node by navigating to the **Cache Nodes** section under the **Cache Node Management** tab. This page displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
-For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you'll be able to access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
+For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you can access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
-Between the two monitoring sections, you'll be able to gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
+Using the two monitoring sections, you can gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
## Basic Monitoring
### Cache node summary
-Below are the metrics you'll find in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
+Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
| Metric | Description |
| --- | --- |
-| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as healthy. |
-| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as unhealthy. |
-| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from CDN endpoints in the last 24 hours. |
+| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as healthy. |
+| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as unhealthy. |
+| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from Content Delivery Network (CDN) endpoints in the last 24 hours. |
| Max out | The minimum egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
| Average in | The average ingress in Mbps that your node has pulled from CDN endpoints in the last 24 hours. |
| Average out | The average egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
@@ -65,6 +65,20 @@ This chart displays the volume of each supported content type in bytes (B) that
The content types displayed in the chart each have a distinct color and are sorted in descending order of volume. The bar chart is stacked such that you can visually compare total volume being delivered at different points in time.
+### Cache node details
+
+The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
+
+
+
+| Metric | Description |
+| --- | --- |
+| Cache node name | The user-defined name of the cache node. |
+| Status | The heartbeat status of the cache node. |
+| OS | The host machine OS that this cache node is compatible with. |
+| Software version | The version number of the cache node's Connected Cache container. |
+| Cache node ID | The unique identifier of the cache node. |
+
## Advanced Monitoring
To expand upon the metrics shown in the Overview tab, navigate to the **Metrics** tab in the left side toolbar of Azure portal.
@@ -79,13 +93,13 @@ Listed below are the metrics you can access in this section:
### Customizable Dashboards
-Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that will notify you if your Connected Cache node dips in performance.
+Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that notify you if your Connected Cache node dips in performance.
Some example scenarios where you would want to set up a custom alert:
- My Connected Cache node is being shown as unhealthy and I want to know exactly when it stopped egressing last
- A new Microsoft Word update was released last night and I want to know if my Connected Cache node is helping deliver this content to my Windows devices
-## Additional Metrics
+## Client-Side Metrics
Your Connected Cache node can keep track of how much content has been sent to requesting Windows devices, but the node can't track whether the content was successfully received by the device. For more information on accessing client-side data from your Windows devices, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
index 0f5b02bc00..9e896b0acf 100644
--- a/windows/deployment/do/mcc-ent-troubleshooting.md
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -11,7 +11,7 @@ appliesto:
- ✅ Windows 11
- ✅ Supported Linux distributions
- ✅ Microsoft Connected Cache for Enterprise
-ms.date: 10/30/2024
+ms.date: 01/15/2025
---
@@ -19,6 +19,18 @@ ms.date: 10/30/2024
This article contains instructions on how to troubleshoot different issues you may encounter while using Connected Cache. These issues are categorized by the task in which they may be encountered.
+## Known issues
+
+This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
+
+### Cache node monitoring chart in the Azure portal user interface displays incorrect information
+
+### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
+
+In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
+
+As a temporary workaround, the above error doesn't occur by changing the language setting of the local administrator user from Japanese to English and then executing the script.
+
## Steps to obtain an Azure subscription ID
@@ -38,7 +50,7 @@ If you're encountering a validation error, check that you have filled out all re
If your configuration doesn't appear to be taking effect, check that you have selected the **Save** option at the top of the configuration page in the Azure portal user interface.
-If you have changed the proxy configuration, you will need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
+If you have changed the proxy configuration, you'll need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
## Troubleshooting cache nodes created during early preview
@@ -50,7 +62,7 @@ As such, we strongly recommend you [recreate your existing resources in Azure](m
### Collecting Windows-hosted installation logs
-[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts will attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
+[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
There are three types of installation log files:
@@ -60,9 +72,19 @@ There are three types of installation log files:
The Registered Task Transcript is usually the most useful for diagnosing the installation issue.
-### WSL2 fails to install with message "A specified logon session does not exist"
+### Collecting other Windows-hosted logs
-If you are encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you are logged on as a local administrator and running the command from an elevated PowerShell window.
+Once the cache node has been successfully installed on the Windows host machine, it will periodically write log files to the installation directory (`C:\mccwsl01\` by default).
+
+You can expect to see the following types of log files:
+
+1. **WSL_Mcc_Monitor_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Monitor_Task" scheduled task that is responsible for ensuring that the Connected Cache continues running.
+1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
+1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
+
+### WSL2 fails to install with message "A specified logon session doesn't exist"
+
+If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.
### Updating the WSL2 kernel
@@ -94,6 +116,20 @@ You can use Task Scheduler on the host machine to check the status of this sched
> [!Note]
> If the password of the runtime account changes, you'll need to update the user in all of the Connected Cache scheduled tasks in order for the Connected Cache node to continue functioning properly.
+### Cache node successfully deployed but not serving requests
+
+If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation. Since WSL 2 uses a virtualized ethernet adapter by default, port forwarding rules are needed to allow traffic to reach the WSL 2 instance from your LAN. For more information, see [Accessing network applications with WSL](/windows/wsl/networking#accessing-a-wsl-2-distribution-from-your-local-area-network-lan).
+
+To check your host machine's port forwarding rules, use the following PowerShell command.
+
+`netsh interface portproxy show v4tov4`
+
+If you don't see any port forwarding rules for port 80 to 0.0.0.0, you can run the following command from an elevated PowerShell instance to set the proper forwarding to WSL.
+
+`netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=`
+
+You can retrieve the WSL IP Address from the `wslip.txt` file that should be present in the installation directory you specified in the Connected Cache provisioning command ("c:\mccwsl01" by default).
+
## Troubleshooting cache node deployment to Linux host machine
[Deploying a Connected Cache node to a Linux host machine](mcc-ent-deploy-to-linux.md) involves running a series of Bash scripts contained within the Linux provisioning package.
@@ -106,6 +142,31 @@ If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC*
You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`.
+## Generating cache node diagnostic support bundle
+
+You can generate a support bundle with detailed diagnostic information by running the `collectMccDiagnostics.sh` script included in the installation package.
+
+For Windows host machines, you'll need to do the following:
+
+1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install
+1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
+1. Run `wsl bash collectmccdiagnostics.sh` to generate the diagnostic support bundle
+1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
+
+ For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
+
+1. Run the `wsl cp` command to copy the support bundle from the location within the Ubuntu distribution to the Windows host OS
+
+ For example, `wsl cp /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz /mnt/c/mccwsl01/SupportBundles`
+
+For Linux host machines, you'll need to do the following:
+
+1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
+1. Run `collectmccdiagnostics.sh` to generate the diagnostic support bundle
+1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
+
+ For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
+
## Troubleshooting cache node monitoring
Connected Cache node status and performance can be [monitored using the Azure portal user interface](mcc-ent-monitoring.md).
@@ -116,4 +177,4 @@ If the issue persists, check that you have configured the Timespan and Cache nod
## Diagnose and Solve
-You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource will walk you through a few prompts to help narrow down the solution to your issue.
+You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource walks you through a few prompts to help narrow down the solution to your issue.
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index a5c2e9f782..26322219d3 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -15,7 +15,7 @@ metadata:
appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ms.date: 05/23/2024
+ ms.date: 01/14/2025
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache
@@ -35,10 +35,10 @@ sections:
answer: |
- Azure subscription
- Hardware to host Microsoft Connected Cache
- - Ubuntu 20.04 LTS on a physical server or VM of your choice.
+ - Ubuntu 22.04 LTS on a physical server or VM of your choice.
> [!NOTE]
- > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
+ > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS.
The following are recommended hardware configurations:
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index 284269f52e..5b9d4a5f66 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2024
---
# Operator sign up and service onboarding for Microsoft Connected Cache
@@ -36,7 +36,7 @@ Before you begin sign up, ensure you have the following components:
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
-1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS.
+1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 22.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index dbced5230c..2eb833af48 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2025
---
# Support and troubleshooting
@@ -97,6 +97,15 @@ Rerun the IoT Edge Check command to validate proper connectivity:
```bash
iotedge check -verbose
```
+
+
+## Updating from Ubuntu 20.04 to 22.04
+You can now provision Microsoft Connected Cache for ISP on Ubuntu 22.04.
+If you have a cache node provisioned on Ubuntu 20.04, you will need to uninstall it first before updating to Ubuntu 22.04.
+Once you have updated the system, download the provisioning package from Azure portal and run the provisioning script on the portal.
+For more information on provisioning cache node, visit, [Create, provision and deploy cache node](mcc-isp-create-provision-deploy.md#provision-your-server).
+
+
## Diagnose and Solve Problems
@@ -110,6 +119,7 @@ Within **Diagnose and solve problems**, select **Troubleshoot** under the type o
:::image type="content" source="images/mcc-isp-diagnose-solve-troubleshoot.png" alt-text="A screenshot of Azure portal showing the option to select Troubleshoot to continue troubleshooting common issues related to the installation of Microsoft Connected Cache." lightbox="images/mcc-isp-diagnose-solve-troubleshoot.png":::
+
## Steps to obtain an Azure subscription ID
To onboard onto Microsoft Connected Cache, you'll need an Azure subscription ID. Use the following steps to obtain your subscription ID:
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index f3d3079534..6df9fd0b0b 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -12,7 +12,7 @@ ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2025
---
# Enhancing cache performance
@@ -21,7 +21,7 @@ To make sure you're maximizing the performance of your cache node, review the fo
#### OS requirements
-The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
+The Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. Install Ubuntu 22.04 LTS on a physical server or VM of your choice.
#### NIC requirements
diff --git a/windows/deployment/images/mcc-ent-cache-node-details.png b/windows/deployment/images/mcc-ent-cache-node-details.png
new file mode 100644
index 0000000000..f73bd2e006
Binary files /dev/null and b/windows/deployment/images/mcc-ent-cache-node-details.png differ
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index ecd4861cbb..51a6fb4e62 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.service: windows-client
author: frankroj
ms.author: frankroj
-ms.date: 11/16/2023
+ms.date: 11/26/2024
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@@ -29,10 +29,10 @@ See the following video for a detailed description and demonstration of MBR2GPT.
> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
-You can use MBR2GPT to:
+MBR2GPT can be used to:
-- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert any attached MBR-formatted system disk to the GPT partition format. The tool can't be used to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, the existing protectors need to be deleted and then recreated.
- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
@@ -41,7 +41,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
-> Make sure that your device supports UEFI before attempting to convert the disk.
+> Make sure the device supports UEFI before attempting to convert the disk.
## Disk Prerequisites
@@ -93,7 +93,7 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
+1. Using DiskPart the current disk partition layout is displayed before the conversion. Three partitions are present on the MBR disk (disk 0):
- A system reserved partition.
- A Windows partition.
@@ -110,7 +110,7 @@ In the following example:
1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
+As noted in the output from the MBR2GPT tool, changes to the computer firmware need to be made so that the new EFI system partition boots properly.
@@ -267,7 +267,7 @@ If the existing MBR system partition isn't reused for the EFI system partition,
> [!IMPORTANT]
>
-> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+> If the existing MBR system partition isn't reused for the EFI system partition, it might be assigned a drive letter. If this small partition isn't going to be used, its drive letter must be manually hidden.
### Partition type mapping and partition attributes
@@ -290,11 +290,11 @@ For more information about partition types, see:
### Persisting drive letter assignments
-The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
+The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that correct assignment of the drive letter can be manually performed.
> [!IMPORTANT]
>
-> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
+> This code runs after the layout conversion takes place, so the operation can't be undone at this stage.
The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
@@ -398,7 +398,7 @@ The partition type can be determined in one of three ways:
#### Windows PowerShell
-You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
+The following command can be entered at a Windows PowerShell prompt to display the disk number and partition type:
```powershell
Get-Disk | ft -Auto
@@ -417,7 +417,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To
#### Disk Management tool
-You can view the partition type of a disk by using the Disk Management tool:
+The partition type of a disk can be viewed by using the Disk Management tool:
1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 9984fc897b..d91a00bbc2 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
-The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
+The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
-Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).
### Option 2: Use WSUS with UUP Integration
@@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 5: Install language features during deployment
@@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
-- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
+- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
-- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
-- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
-- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
+- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
## Sample scripts
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 5b67de2653..18e7af7514 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 09/03/2024
+ms.date: 12/27/2024
---
# Manage additional Windows Update settings
@@ -213,6 +213,12 @@ To do this, follow these steps:
* **7**: Notify for install and notify for restart. (Windows Server 2016 and later only)
+ * ScheduledInstallEveryWeek (REG_DWORD):
+
+ * **0**: Do not enforce a once-per-week scheduled installation
+
+ * **1**: Enforce automatic installations once a week on the specified day and time. (Requires ***ScheduledInstallDay*** and ***ScheduledInstallTime*** to be set.)
+
* ScheduledInstallDay (REG_DWORD):
* **0**: Every day.
@@ -294,7 +300,7 @@ On new devices, Windows Update doesn't begin installing background updates until
In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
-- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
+- **Registry key**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator`
- **DWORD value name**: ScanBeforeInitialLogonAllowed
- **Value data**: 1
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index b6dbfb03a0..f5d53887cf 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -257,6 +257,7 @@ The PnP enumerated device is removed from the System Spec because one of the har
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------|
+| `0x80070020` | `InstallFileLocked`| Couldn't access the file because it is already in use. This can occur when the installer tries to replace a file that an antivirus, antimalware or backup program is currently scanning. |
| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found.
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index cefc7b717e..faa2671fbe 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -159,7 +159,8 @@ Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates
The **Update status** group for driver updates contains the following items:
-- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates.
+- **Update states for all driver updates**: Chart containing the number of driver updates in a specific state, such as installing.
+
- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class.
- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates.
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 30052f5291..a011e4c21c 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -68,6 +68,8 @@
href: manage/windows-autopatch-windows-update-policies.md
- name: Programmatic controls for expedited Windows quality updates
href: manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+ - name: Hotpatch updates
+ href: manage/windows-autopatch-hotpatch-updates.md
- name: Driver and firmware updates
href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
items:
@@ -116,6 +118,8 @@
href: monitor/windows-autopatch-windows-quality-update-trending-report.md
- name: Reliability report
href: monitor/windows-autopatch-reliability-report.md
+ - name: Hotpatch quality update report
+ href: monitor/windows-autopatch-hotpatch-quality-update-report.md
- name: Windows feature and quality update device alerts
href: monitor/windows-autopatch-device-alerts.md
- name: Policy health and remediation
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index c5f450553f..c4a299bb50 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -36,7 +36,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
### Device readiness checks available for each scenario
-| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
+| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker) |
| ----- | ----- |
|
Windows OS (build, architecture, and edition)
Managed by either Intune or ConfigMgr co-management
ConfigMgr co-management workloads
Last communication with Intune
Personal or non-Windows devices
|
Windows OS (build, architecture, and edition)
Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
Internet connectivity
|
@@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data
- Passes all post-device registration readiness checks
-The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
+The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch:
@@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work
| Step | Description |
| ----- | ----- |
| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
-| **Step 8: Perform readiness checks** |
Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
|
-| **Step 9: Check readiness status** |
The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.
|
+| **Step 8: Perform readiness checks** |
Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.
|
+| **Step 9: Check readiness status** |
The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.
The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.
|
| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. |
@@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work
| Question | Answer |
| ----- | ----- |
-| **How frequent are the post-device registration readiness checks performed?** |
The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
|
+| **How frequent are the post-device registration readiness checks performed?** |
The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).
Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.
The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.
Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.
|
## Additional resources
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
new file mode 100644
index 0000000000..026f05bd13
--- /dev/null
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -0,0 +1,97 @@
+---
+title: Hotpatch updates
+description: Use Hotpatch updates to receive security updates without restarting your device
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Hotpatch updates (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+## Key benefits
+
+- Hotpatch updates streamline the installation process and enhance compliance efficiency.
+- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
+- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
+
+## Operating system configuration prerequisites
+
+To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
+
+### Virtualization based security (VBS)
+
+VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security).
+
+### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
+
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
+Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
+Key value: `**HotPatchRestrictions=1**`
+
+> [!IMPORTANT]
+> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
+
+If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.
+
+## Eligible devices
+
+To benefit from Hotpatch updates, devices must meet the following prerequisites:
+
+- Operating System: Devices must be running Windows 11 24H2 or later.
+- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
+- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+
+## Ineligible devices
+
+Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.
+
+LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
+
+> [!NOTE]
+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
+
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+
+- Baseline Release Months: January, April, July, October
+- Hotpatch Release Months: February, March, May, June, August, September, November, December
+
+## Enroll devices to receive Hotpatch updates
+
+> [!NOTE]
+> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
+
+**To enroll devices to receive Hotpatch updates:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Manage updates** section, select **Windows updates**.
+1. Go to the **Quality updates** tab.
+1. Select **Create**, and select **Windows quality update policy (preview)**.
+1. Under the **Basics** section, enter a name for your new policy and select Next.
+1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**.
+1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Assign the devices to the policy and select **Next**.
+1. Review the policy and select **Create**.
+
+These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+
+> [!NOTE]
+> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
index cce3435eec..ffcd082e07 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
@@ -78,6 +78,9 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat
> [!IMPORTANT]
> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> [!CAUTION]
+> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports.
+
## Rename an Autopatch group
**To rename an Autopatch group:**
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
index ddab13c440..e968491819 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -68,7 +68,7 @@ For deployment rings set to **Automatic**, you can choose the deferral period fo
The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period.
-The deferral period can be set from 0 to 14 days, and it can be different for each deployment ring.
+The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring.
> [!NOTE]
> The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
index e68df90cbb..81669a6614 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md
@@ -1,7 +1,7 @@
---
title: Manage Update rings
description: How to manage update rings
-ms.date: 09/16/2024
+ms.date: 12/10/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -43,7 +43,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc
2. Select **Devices** from the left navigation menu.
3. Under the **Manage updates** section, select **Windows updates**.
4. In the **Windows updates** blade, go to the **Update rings** tab.
-5. Select **Enroll policies**.
+5. Select **Enroll policies**. **This step only applies if you've gone through [feature activation](../prepare/windows-autopatch-feature-activation.md)**.
6. Select the existing rings you would like to import.
7. Select **Import**.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
index 3d2d33db5d..b5259a8275 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
-ms.date: 10/30/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -120,6 +120,9 @@ For more information about Windows feature update policies that are created for
## Pause and resume a release
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
> [!IMPORTANT]
> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
index 656f94452c..ed17d7438c 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates overview
description: This article explains how Windows quality updates are managed
-ms.date: 10/30/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: conceptual
@@ -66,6 +66,9 @@ For the deployment rings that pass quality updates deferral date, the OOB releas
## Pause and resume a release
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
index 77acf64924..2aefa858cc 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 09/24/2024
+ms.date: 12/10/2024
---
# Programmatic controls for expedited Windows quality updates
@@ -34,6 +34,9 @@ In this article, you will:
All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients.
+> [!IMPORTANT]
+> This step isn't required if your device is running Windows 11 24H2 and later.
+
- The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods:
- Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates)
- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
@@ -269,7 +272,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
## Add members to the deployment audience
-The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
+The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update is expedited.
The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device:
@@ -299,7 +302,7 @@ To verify the devices were added to the audience, run the following query using
## Delete a deployment
-To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created.
+To stop an expedited deployment, DELETE the deployment. Deleting the deployment prevents the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval must be created.
The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
@@ -309,7 +312,7 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e
## Readiness test for expediting updates
-You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results.
+You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service checks to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
new file mode 100644
index 0000000000..afa0dfe072
--- /dev/null
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
@@ -0,0 +1,67 @@
+---
+title: Hotpatch quality update report
+description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+ - highpri
+ - tier1
+---
+
+# Hotpatch quality update report (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
+
+**To view the Hotpatch quality update status report:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+1. Select the **Reports** tab.
+1. Select **Hotpatch quality updates (preview)**.
+
+> [!NOTE]
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+### Default columns
+
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
+The following information is available as default columns in the Hotpatch quality update report:
+
+| Column name | Description |
+| ----- | ----- |
+| Quality update policy | The name of the policy. |
+| Device name | Total number of devices in the policy. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Hotpatched | Total devices that successfully received a Hotpatch update. |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
index 4219401d76..c70e5b8f7a 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Feature update status report
-description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a per device view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices.
**To view the Feature update status report:**
@@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo
### Default columns
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available as default columns in the Feature update status report:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
index 4e65d5e28b..fe310f106a 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
-description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a broader view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices.
The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
@@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r
## Report information
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available in the Summary dashboard:
| Column name | Description |
@@ -45,6 +48,9 @@ The following information is available in the Summary dashboard:
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| % with the target feature update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the targeted feature update. |
+> [!NOTE]
+> The Windows Autopatch feature update report always displays the higher Windows version a device is taking. If target versions are identical, the report shows the most recent release or binding time. Release takes precedence over standalone DSS policy.
+
## Report options
The following options are available:
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
index b2b2d8bf42..4b2f2596df 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
-ms.date: 09/16/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -27,7 +27,7 @@ The Windows quality reports provide you with information about:
- Device update health
- Device update alerts
-Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
+Together, these reports provide insight into the quality update state and compliance of Intune devices.
The Windows quality report types are organized into the following focus areas:
@@ -61,7 +61,7 @@ Users with the following permissions can access the reports:
## About data latency
-The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
+The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
## Windows quality and feature update statuses
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
index bcd381e6d1..abde6947cc 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
@@ -1,7 +1,7 @@
---
title: Quality update status report
-description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a per device view of the current update status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
+The Quality update status report provides a per device view of the current update status for all Intune devices.
**To view the Quality update status report:**
@@ -29,12 +29,15 @@ The Quality update status report provides a per device view of the current updat
1. Select **Quality update status**.
> [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
### Default columns
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available as default columns in the Quality update status report:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
index c145b09b4c..52bb8e8d65 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
-description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a summary view of the current update status for all Intune devices.
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
-The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
+The Summary dashboard provides a summary view of the current update status for all Intune devices.
**To view the current update status for all your enrolled devices:**
@@ -27,10 +27,13 @@ The Summary dashboard provides a summary view of the current update status for a
1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
> [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
The following information is available in the Summary dashboard:
| Column name | Description |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 386ec22830..97d26c798d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
-ms.date: 09/27/2024
+ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
+| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
+| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
@@ -70,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
| [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
-| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
+| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
## Communications
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
index 822866ede9..a39b3238a9 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
@@ -87,7 +87,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Edge update policies
> [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
+> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
- Windows Autopatch - Edge Update Channel Stable
- Windows Autopatch - Edge Update Channel Beta
@@ -100,7 +100,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Driver updates for Windows 10 and later
> [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
+> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).
To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
- Windows Autopatch - Driver Update Policy [Test]
- Windows Autopatch - Driver Update Policy [First]
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index f7ca1e60c8..815d13a816 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,7 +1,7 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 09/27/2024
+ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## November 2024
+
+### November feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| Hotpatch |
|
+
## September 2024
### September feature releases or updates
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
index 4ee7ef2757..42881a0f12 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
@@ -43,7 +43,7 @@ All App Control for Business policy changes should be deployed in audit mode bef
## Choose how to deploy App Control policies
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
+> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
index 3ce08b2022..67506d5785 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
@@ -81,7 +81,7 @@ The following recommended blocklist xml policy file can also be downloaded from
```xml
- 10.0.27685.0
+ 10.0.27770.0{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
@@ -378,6 +378,26 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -552,6 +572,12 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
@@ -1015,10 +1041,10 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
+
+
+
+
@@ -1238,6 +1264,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -1266,150 +1294,150 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1579,6 +1607,70 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1716,6 +1808,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1736,6 +1829,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1781,6 +1875,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1852,6 +1947,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1879,6 +1975,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1898,6 +1995,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1925,6 +2023,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -1944,6 +2043,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2016,6 +2116,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2035,9 +2136,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
-
+
@@ -2053,6 +2155,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2071,6 +2174,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2103,7 +2207,7 @@ The following recommended blocklist xml policy file can also be downloaded from
-
+
@@ -2157,6 +2261,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2176,6 +2281,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2345,6 +2451,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -2663,7 +2770,17 @@ The following recommended blocklist xml policy file can also be downloaded from
-
+
+
+
+
+
+
+
+
+
+
+
@@ -2809,6 +2926,43 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2916,12 +3070,40 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2929,10 +3111,13 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
@@ -2956,6 +3141,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
@@ -2967,6 +3156,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -3011,6 +3201,10 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
@@ -3034,6 +3228,7 @@ The following recommended blocklist xml policy file can also be downloaded from
+
@@ -3071,6 +3266,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -3382,6 +3579,26 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3556,6 +3773,12 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
@@ -4025,9 +4248,9 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
+
+
+
@@ -4243,6 +4466,8 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
@@ -4275,78 +4500,78 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4356,78 +4581,78 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4588,6 +4813,70 @@ The following recommended blocklist xml policy file can also be downloaded from
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4713,16 +5002,16 @@ The following recommended blocklist xml policy file can also be downloaded from
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
@@ -4745,7 +5034,7 @@ The following recommended blocklist xml policy file can also be downloaded from
- 10.0.27685.0
+ 10.0.27770.0
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
index c8bb39fb47..617ba5eb29 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
@@ -9,7 +9,7 @@ appliesto:
# CiTool technical reference
-CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
+CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's included in the Windows images starting with Windows 11, version 22H2, and Windows Server 2025.
## Policy commands
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
index 4948af5cf1..f2db0b2d7a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
@@ -139,22 +139,22 @@ The Microsoft Root certificates can be allowed and denied in policy using 'WellK
| 0| None | N/A |
| 1| Unknown | N/A |
| 2 | Self-Signed | N/A |
-| 3 | Microsoft Authenticode(tm) Root Authority | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
-| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
-| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
-| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
-| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
+| 3 | Microsoft Authenticode(tm) Root Authority | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
+| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
+| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
+| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
+| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
-| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
-| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
-| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
-| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
-| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
+| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
+| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
+| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
+| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
+| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 14 | Microsoft Trusted Root Store | N/A |
-| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
-| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
+| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
+| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.
diff --git a/windows/security/application-security/index.md b/windows/security/application-security/index.md
deleted file mode 100644
index 6d2ac65456..0000000000
--- a/windows/security/application-security/index.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Windows application security
-description: Get an overview of application security in Windows
-ms.date: 08/02/2023
-ms.topic: conceptual
----
-
-# Windows application security
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
-
-Learn more about application security features in Windows.
-
-[!INCLUDE [application](../includes/sections/application.md)]
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
index 84c5873b45..c8a80ddfef 100644
--- a/windows/security/application-security/toc.yml
+++ b/windows/security/application-security/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Overview
- href: index.md
- name: Application and driver control
href: application-control/toc.yml
- name: Application isolation
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 462cf9cf11..d69dbb0445 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -1,68 +1,20 @@
---
-title: Application and driver control
-description: Windows 11 security book - Application and driver control.
+title: Windows 11 Security Book - Application And Driver Control
+description: Application and driver control.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 12/11/2024
---
# Application and driver control
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
-capabilities to build in security from the ground up to protect against breaches and malware.
+[!INCLUDE [smart-app-control](includes/smart-app-control.md)]
-## Smart App Control
+[!INCLUDE [app-control-for-business](includes/app-control-for-business.md)]
-Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+[!INCLUDE [administrator-protection](includes/administrator-protection.md)]
-Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
-Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+[!INCLUDE [microsoft-vulnerable-driver-blocklist](includes/microsoft-vulnerable-driver-blocklist.md)]
-Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
-
-## App Control for Business
-
-Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
-
-Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
-
-Customers using Microsoft Intune[\[9\]](conclusion.md#footnote9) to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
-
-Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
-
-## User Account Control
-
-User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-
-Organizations can use a modern device management (MDM) solution like Microsoft Intune[\[9\]](conclusion.md#footnote9) to remotely configure UAC settings. Organizations without MDM can change settings directly
-on the device.
-
-Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
-apps and prevent inadvertent changes to system settings.
-
-Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
-
-Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
-
-:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
-
-## Microsoft vulnerable driver blocklist
-
-The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
+[!INCLUDE [trusted-signing](includes/trusted-signing.md)]
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 603d0138a4..00bf51928f 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -1,53 +1,20 @@
---
-title: Application isolation
-description: Windows 11 security book - Application isolation.
+title: Windows 11 Security Book - Application Isolation
+description: Application isolation.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 12/11/2024
---
# Application isolation
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-## Win32 app isolation
+[!INCLUDE [win32-app-isolation](includes/win32-app-isolation.md)]
-Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
+[!INCLUDE [app-containers](includes/app-containers.md)]
-Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
+[!INCLUDE [windows-sandbox](includes/windows-sandbox.md)]
-In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
+[!INCLUDE [windows-subsystem-for-linux](includes/windows-subsystem-for-linux.md)]
-To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
-
-To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
-
-- Approaches for accessing data and privacy information
-- Integrating Win32 apps for compatibility with other Windows interfaces
-
-The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
-
-## Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
-
-Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
-- [Windows Sandbox is a new lightweight desktop environment tailored for safely
-running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
-
-## App containers
-
-In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
-
-Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
+[!INCLUDE [virtualization-based-security-enclaves](includes/virtualization-based-security-enclaves.md)]
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
index 5b8a5238ab..7270a50314 100644
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@@ -1,16 +1,16 @@
---
-title: Application security
-description: Windows 11 security book - Application security chapter.
+title: Windows 11 Security Book - Application Security
+description: Application security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Application security
:::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
+Applications are prime vectors for cyberattacks due to their frequent usage and access to valuable data. Common attempts include injection attacks that insert malicious code, man-in-the-middle attacks that intercept and potentially alter communication between users and applications, and various methods of tricking users into divulging sensitive information or changing system settings.
+
+Windows 11 protects users, apps, and data with features like Windows App Control for Business and the Microsoft vulnerable driver blocklist, which help ensure that only trusted apps and drivers can run on the device.
+
:::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
-
-In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 39b189a20f..36707a697b 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -1,58 +1,65 @@
---
-title: Cloud services - Protect your personal information
-description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+title: Windows 11 security book - Cloud services - Protect your personal information
+description: Cloud services chapter - Protect your personal information.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Protect your personal information
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
-## Microsoft Account
+## Microsoft account
-Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
+Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android.
-You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
+You can even go passwordless with your Microsoft account by removing the password from your MSA:
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- Use Windows Hello to eliminate the password sign-in method for an even more secure experience
+- Use the Microsoft Authenticator app on your Android or iOS device
-- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-## User reauthentication before password disablement
-
-Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
-
-This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
+- [What is a Microsoft account?][LINK-1]
+- [Go passwordless with your Microsoft account][LINK-5]
## Find my device
-When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
+When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
+- [How to set up, find, and lock a lost Windows device using a Microsoft account][LINK-2]
## OneDrive for personal
-Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
+Microsoft OneDrive for personal[\[10\]](conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- If a device is lost or stolen, users can quickly recover all their important files from the cloud
+- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
-- [OneDrive](/onedrive/plan-onedrive-enterprise)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
+- [Get started with OneDrive][LINK-6]
+- [How to recover from a ransomware attack using Microsoft 365][LINK-7]
+- [How to restore from OneDrive][LINK-3]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## Personal Vault
-- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
+Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text.
-- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-## OneDrive Personal Vault
+- [Protect your OneDrive files in Personal Vault][LINK-4]
-OneDrive Personal Vault[\[9\]](conclusion.md#footnote9) also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
+
-Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
+[LINK-1]: https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa
+[LINK-2]: https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316
+[LINK-3]: https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15
+[LINK-4]: https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4
+[LINK-5]: https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856
+[LINK-6]: https://support.microsoft.com/onedrive
+[LINK-7]: /microsoft-365/security/office-365-security/recover-from-ransomware
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 97aafdbec1..033200a8f1 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -1,138 +1,88 @@
---
-title: Cloud services - Protect your work information
-description: Windows 11 security book - Cloud services chapter - Protect your work information.
+title: Windows 11 security book - Cloud services - Protect your work information
+description: Cloud services chapter - Protect your work information.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/04/2024
---
# Protect your work information
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
-## Microsoft Entra ID
+## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID
-Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
-Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .
-To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+:::row:::
+ :::column:::
+ For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png":::
+ :::column-end:::
+:::row-end:::
+
+To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
-When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[9\]](conclusion.md#footnote9), it receives the following security benefits:
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](conclusion.md#footnote4), it receives the following security benefits:
- Default managed user and device settings and policies
- Single sign-in to all Microsoft Online Services
- Full suite of authentication management capabilities using Windows Hello for Business
- Single sign-on (SSO) to enterprise and SaaS applications
-- No use of consumer Microsoft Account identity
+- No use of consumer Microsoft account identity
-Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
-- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
+- [Microsoft Entra ID documentation][LINK-1]
+- [Microsoft Entra plans and pricing][LINK-2]
-## Modern device management through (MDM)
+### Microsoft Entra Private Access
-Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune[\[9\]](conclusion.md#footnote9), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
+Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
-Windows 11 built-in management features include:
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
-- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
+- [Microsoft Entra Private Access][LINK-4]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+### Microsoft Entra Internet Access
-- [Mobile device management overview](/windows/client-management/mdm-overview)
+Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
-## Microsoft security baselines
+> [!NOTE]
+> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features.
-Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+- [Microsoft Entra Internet Access][LINK-3]
+- [Global Secure Access client for Windows][LINK-6]
+- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+### Enterprise State Roaming
-- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
+Available to any organization with a Microsoft Entra ID Premium[\[4\]](conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
-## MDM security baseline
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
+- [Enterprise State Roaming in Microsoft Entra ID][LINK-7]
-The security baseline includes policies for:
+## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service
-- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
-- Restricting remote access to devices
-- Setting credential requirements for passwords and PINs
-- Restricting use of legacy technology
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
-
-## Microsoft Intune
-
-Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
-
-Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
-
-Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
-
-Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
-
-### Endpoint Privilege Management (EPM)
-
-Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
-
-### Local Administrator Password (LAPs)
-
-Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
-
-### Mobile Application Management (MAM)
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
-
-Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
-
-Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
-
-## Remote Wipe
-
-When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
-
-Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions[\[9\]](conclusion.md#footnote9) can remotely initiate any of the following operations:
-
-- Reset the device and remove user accounts and data
-- Reset the device and clean the drive
-- Reset the device but persist user accounts and data
-
-Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
-
-## Microsoft Azure Attestation Service
-
-Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune[\[9\]](conclusion.md#footnote9) integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[9\]](conclusion.md#footnote9) Conditional Access.
-
-**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
+**Attestation policies are configured in the Azure Attestation service which can then:**
- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
@@ -140,130 +90,293 @@ Remote attestation helps ensure that devices are compliant with security policie
Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Azure Attestation overview](/azure/attestation/overview)
+- [Azure Attestation overview][LINK-8]
-## Windows Update for Business deployment service
+## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint
-The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
+Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
-The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune[\[9\]](conclusion.md#footnote9) and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
+Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
-For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
+- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
+- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](conclusion.md#footnote4), and online assets
+- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
+- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
+detailed investigation outcomes
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
+platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
-- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-## Windows Autopatch
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender)
-Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
+## Cloud-native device management
-Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
+Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
-From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.[\[9\]](conclusion.md#footnote9) The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
+Windows 11 built-in management features include:
-There's a lot more to learn about Windows Autopatch:
+- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
-- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
-- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
-- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
+[!INCLUDE [learn-more](includes/learn-more.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- [Mobile device management overview][LINK-9]
-- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
+### Remote wipe
-## Windows Autopilot and zero-touch deployment
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
-Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
-- From a user perspective, it only takes a few simple operations to get their device ready for use
-- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Remote wipe CSP][LINK-10]
+
+## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune
+
+Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
+
+Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
+
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+
+Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [What is Microsoft Intune][LINK-12]
+
+### Windows enrollment attestation
+
+When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
+
+With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows enrollment attestation][LINK-13]
+
+### Microsoft Cloud PKI
+
+Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
+
+Key features include:
+
+- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune
+- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices
+- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client
+- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting
+
+With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview)
+
+### Endpoint Privilege Management (EPM)
+
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Endpoint Privilege Management][LINK-14]
+
+### Mobile application management (MAM)
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Data protection for Windows MAM][LINK-15]
+
+## Security baselines
+
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Security baselines][LINK-11]
+
+### Security baseline for cloud-based device management solutions
+
+Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools.
+
+The security baseline includes policies for:
+
+- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting the use of legacy technology
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Intune security baseline overview][LINK-16]
+- [List of the settings in the Windows security baseline in Intune][LINK-17]
+
+## Windows Local Administrator Password Solution (LAPS)
+
+Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks.
+
+Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4).
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows LAPS overview][LINK-18]
+
+## Windows Autopilot
+
+Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
+
+With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings.
Windows Autopilot enables you to:
-- Automatically join devices to Microsoft Entra ID[\[9\]](conclusion.md#footnote9) or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
-- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
-- Automatic upgrade to Enterprise Edition if required
-- Restrict administrator account creation
-- Create and auto-assign devices to configuration groups based on a device's profile
-- Customize Out of Box Experience (OOBE) content specific to the organization
+- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join
+- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration)
+- Create and autoassignment of devices to configuration groups based on a device's profile
+- Customize of the out-of-box experience (OOBE) content specific to your organization
-Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
+Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
+- [Windows Autopilot][LINK-19]
+- [Windows Autopilot Reset][LINK-20]
-## Enterprise State Roaming with Azure
+## Windows Update for Business
-Available to any organization with a Microsoft Entra ID Premium[\[9\]](conclusion.md#footnote9) or Enterprise Mobility + Security (EMS)[\[9\]](conclusion.md#footnote9) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
-- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
+This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment.
-## Universal Print
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
+- [Windows Update for Business documentation][LINK-21]
-Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
+## Windows Autopatch
-Universal Print supports Zero Trust security by requiring that:
+Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks.
-- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[9\]](conclusion.md#footnote9). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
-- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
-- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
-- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
-- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
-- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community.
-Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune[\[9\]](conclusion.md#footnote9), admins can now configure policies to provision specific printers onto the user's Windows devices.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
+- [Windows updates API overview](/graph/windowsupdates-concept-overview)
+- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
+- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch)
-More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
+## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch
-The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
+Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices.
-Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
+By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
-- [Data handling in Universal Print](/universal-print/data-handling)
-- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
-For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
-
-## OneDrive for work or school
-
-Data in OneDrive for work or school is protected both in transit and at rest.
+OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
-Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
+Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS.
There are several ways that OneDrive for work or school is protected at rest:
-- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
+- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security).
- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
+- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1)
-## MDM enrollment certificate attestation
+## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print
-When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
-- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
+Universal Print supports Zero Trust security by requiring that:
+
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
+- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
+- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
+- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+
+Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices.
+
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
+
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24].
+
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25].
+
+Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit.
+
+For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Universal Print][LINK-26]
+- [Data handling in Universal Print][LINK-27]
+- [Delegate Printer Administration with Administrative Units][LINK-28]
+- [Print support app design guide][LINK-29]
+
+
+
+[LINK-1]: /entra
+[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing
+[LINK-3]: /entra/global-secure-access/concept-internet-access
+[LINK-4]: /entra/global-secure-access/concept-private-access
+[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access
+[LINK-6]: /entra/global-secure-access/how-to-install-windows-client
+[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable
+[LINK-8]: /azure/attestation/overview
+[LINK-9]: /windows/client-management/mdm-overview
+[LINK-10]: /windows/client-management/mdm/remotewipe-csp
+[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
+[LINK-12]: /mem/intune/fundamentals/what-is-intune
+[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation
+[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3
+[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3
+[LINK-16]: /mem/intune/protect/security-baselines
+[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all
+[LINK-18]: /windows-server/identity/laps/laps-overview
+[LINK-19]: /autopilot/overview
+[LINK-20]: /mem/autopilot/windows-autopilot-reset
+[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb
+[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw
+[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations
+[LINK-24]: /microsoft-365/enterprise/m365-dr-overview
+[LINK-25]: /universal-print/fundamentals/universal-print-qrcode
+[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print
+[LINK-27]: /universal-print/data-handling
+[LINK-28]: /universal-print/portal/delegated-admin
+[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide
diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md
index 9c78f4867b..cd8be85df1 100644
--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@@ -1,16 +1,16 @@
---
-title: Cloud services
-description: Windows 11 security book - Cloud services chapter.
+title: Windows 11 security book - Cloud services
+description: Cloud services chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Cloud services
:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
-:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
+The workplace is constantly evolving, with many users working outside the office at least some of the time. While remote work and cloud services provide more flexibility, they also result in more endpoints and locations for organizations to worry about.
-Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
-From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
+:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index c8137e0758..7a9d69992d 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -1,13 +1,13 @@
---
-title: Conclusion
-description: Conclusion
+title: Windows 11 security book - Conclusion
+description: Windows 11 security book conclusion.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Conclusion
-We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
+We will continue to innovate with security by design and security by default at the heart of every new Windows 11 PC and Windows 11 IoT device. This commitment ensures that our products not only meet, but exceed, the security expectations of our customers by providing robust protection against modern cyber threats while maintaining ease-of-use and performance. By integrating advanced security measures from the ground up, we aim to create a safer digital environment for everyone.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
@@ -15,31 +15,30 @@ We will continue to bring you new features to protect against evolving threats,
New:
-- Config Refresh
-- 5G and eSIM
-- Win32 apps in isolation (public preview)
-- Passkey
-- Sign-in Session Token Protection
-- Windows Local Administrator Password Solution (LAPS) (public preview)
-- Microsoft Intune Suite Endpoint Privilège Management (EPM)
-- Microsoft Intune Suite Endpoint Privilege Management (EPM)
+- [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
+- [Config Refresh](operating-system-security-system-security.md#-config-refresh)
+- [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
+- [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
+- [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
+- [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
+- [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
+- [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
+- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
Enhanced:
-- Hardware security user experience
-- BitLocker to go
-- Device encryption
-- Windows Firewall
-- Server Message Block direct
-- Smart App Control (SAC) going into Enforcement mode
-- Application Control for Business
-- Enhanced Sign-in security (ESS)
-- Windows Hello for Business
-- Presence Detection
-- Wake on approach, lock on leave
-- Universal Print
-- Lockout policies for local admin
-- Enhanced Phishing protection
+- [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
+- [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
+- [Device encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
+- [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
+- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys)
+- [Personal data encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
+- [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
+- [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
+- [Windows Hello PIN](identity-protection-passwordless-sign-in.md#windows-hello-pin)
+- [Windows Firewall](operating-system-security-network-security.md#windows-firewall)
+- [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
+- [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
## Document revision history
@@ -48,30 +47,27 @@ Enhanced:
|November 2021 |Link updates and formatting.|
|February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
|April 2022| Added Upcoming features section.|
-| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
+|September 2022| Updates with Windows 11, version 22H2, features and enhancements.|
|April 2023| Minor edits and updates to edition availability.|
-|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
-|May 2024| Move form PDF format to web format.|
+|September 2023| Updates with Windows 11, version 23H2, features and enhancements.|
+|May 2024| Move from PDF format to web format.|
+|November 2024| Updates with Windows 11, version 24H2, features and enhancements.|
## Endnotes
-1 "2023 Data Breach Investigations Report" - Verizon, 2023.\
-2 "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
-3 Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
-4 Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
-5 Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
-6 Requires developer enablement.\
-7 Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
-8 Commissioned study delivered by Forrester Consulting. "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
-9 Sold separately.\
-10 Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
-11 Microsoft internal data.\
-12 Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
-13 Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
-14 Hardware dependent.\
-15 Microsoft 365 E3 or E5 required; sold separately.\
-16 The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
-17 All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
+||Details|
+|-|-|
+|**1**| [Microsoft digital defense report, CISO executive summary, October 2023](https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2023).|
+|**2**| Windows 11 Survey Report. Techaisle, September 2024. Windows 11 results are in comparison with Windows 10 devices.|
+|**3**| Requires developer enablement.|
+|**4**| Sold separately.|
+|**5**| The Passkey can be saved locally to the Windows device and authenticated via Windows Hello or Windows Hello for Business. Hardware dependent.|
+|**6**| Commissioned study delivered by Forrester Consulting "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note, quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
+|**7**| Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
+|**8**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
+|**9**| Hardware dependent.|
+|**10**|All users with a Microsoft account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
+|**11**|The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
---
@@ -89,4 +85,4 @@ Enhanced:
>
> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
>
-> Part No. May 2024
+> Part No. November 2024
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
new file mode 100644
index 0000000000..09081404bf
--- /dev/null
+++ b/windows/security/book/features-index.md
@@ -0,0 +1,10 @@
+---
+title: Windows 11 security book - Features index
+description: Windows security book features index.
+ms.topic: overview
+ms.date: 11/18/2024
+---
+
+# Features index
+
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim) [Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control) [Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies) [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection) [App containers](application-security-application-isolation.md#app-containers) [App Control for Business](application-security-application-and-driver-control.md#app-control-for-business) [Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules) [Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service) [BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go) [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker) [Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection) [Certificates](operating-system-security-system-security.md#certificates) [Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management) [Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity) [Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc) [Config Refresh](operating-system-security-system-security.md#-config-refresh) [Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access) [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard) [Cryptography](operating-system-security-system-security.md#cryptography) [Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption) [Device Health Attestation](operating-system-security-system-security.md#device-health-attestation) [Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security) [Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption) [Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive) [Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen) [Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess) [Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection) [Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips) [Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in) [FIDO2](identity-protection-passwordless-sign-in.md#fido2) [Find my device](cloud-services-protect-your-personal-information.md#find-my-device) [Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection) [Kiosk mode](operating-system-security-system-security.md#kiosk-mode) [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection) [Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account) [Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator) [Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki) [Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus) [Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint) [Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen) [Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id) [Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune) [Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering) [Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor) [Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard) [Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl) [Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist) [Network protection](operating-system-security-virus-and-threat-protection.md#network-protection) [OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal) [OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school) [OneFuzz service](security-foundation-offensive-research.md#onefuzz-service) [Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption) [Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault) [Privacy resource usage](privacy-controls.md#privacy-resource-usage) [Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls) [Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard) [Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe) [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows) [Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi) [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel) [Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core) [Security baselines](cloud-services-protect-your-work-information.md#security-baselines) [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services) [Smart App Control](application-security-application-and-driver-control.md#smart-app-control) [Smart cards](identity-protection-passwordless-sign-in.md#smart-cards) [Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom) [Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection) [Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview) [Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls) [Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot) [Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm) [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing) [Universal Print](cloud-services-protect-your-work-information.md#-universal-print) [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection) [Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn) [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves) [Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in) [Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections) [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation) [Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch) [Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot) [Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration) [Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation) [Windows Firewall](operating-system-security-network-security.md#windows-firewall) [Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business) [Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello) [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch) [Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs) [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps) [Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing) [Windows protected print](operating-system-security-system-security.md#-windows-protected-print) [Windows Sandbox](application-security-application-isolation.md#windows-sandbox) [Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing) [Windows Security](operating-system-security-system-security.md#windows-security) [Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk) [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl) [Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
index 871680e2f4..1b2345a22b 100644
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -1,35 +1,47 @@
---
-title: Hardware root-of-trust
-description: Windows 11 security book - Hardware root-of-trust.
+title: Windows 11 security book - Hardware root-of-trust
+description: Hardware root-of-trust.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Hardware root-of-trust
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
## Trusted Platform Module (TPM)
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
-- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
-- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
+- [Windows 11 TPM specifications][LINK-1]
+- [Enable TPM 2.0 on your PC][LINK-2]
+- [Trusted Platform Module Technology Overview][LINK-3]
## Microsoft Pluton security processor
-The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
+The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
-Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
+Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update.
-As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
+As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution.
-Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats.
-- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
-- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
+Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem .
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4]
+- [Microsoft Pluton security processor][LINK-5]
+
+
+
+[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications
+[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c
+[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
+[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 8be924910a..da7cf92de1 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -1,82 +1,114 @@
---
-title: Silicon assisted security
-description: Windows 11 security book - Silicon assisted security.
+title: Windows 11 security book - Silicon assisted security
+description: Silicon assisted security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Silicon assisted security
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
-In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
+In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more.
## Secured kernel
-To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
+To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices.
-Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
-implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+### Virtualization-based security (VBS)
-Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
+:::row:::
+ :::column:::
+ Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png" border="false":::
+ :::column-end:::
+:::row-end:::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
-- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+- [Virtualization-based security (VBS)][LINK-1]
+
+### Hypervisor-protected code integrity (HVCI)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
-- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
+- [Enable virtualization-based protection of code integrity][LINK-2]
-## Hardware-enforced stack protection
+### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT)
-Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
+Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures.
-Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
+### Hardware-enforced stack protection
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
-- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
-- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
+Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
-## Kernel Direct Memory Access (DMA) protection
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
+- [Understanding Hardware-enforced Stack Protection][LINK-3]
+- [Developer Guidance for hardware-enforced stack protection][LINK-4]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## Kernel direct memory access (DMA) protection
-- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
+Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
-## Secured-core PC
+[!INCLUDE [learn-more](includes/learn-more.md)]
-The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
+- [Kernel direct memory access (DMA) protection][LINK-5]
-Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
+## Secured-core PC and Edge Secured-Core
-Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows.
-Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection.
-In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
+Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+
+Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+
+### Dynamic Root of Trust for Measurement (DRTM)
+
+In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface.
System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
-- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- [System Guard Secure Launch][LINK-6]
+- [Firmware Attack Surface Reduction][LINK-7]
+- [Windows 11 secured-core PCs][LINK-8]
+- [Edge Secured-Core][LINK-9]
-## Secured-core configuration lock
+### Configuration lock
-In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift.
-- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Secured-core PC configuration lock][LINK-10]
+
+
+
+[LINK-1]: /windows-hardware/design/device-experiences/oem-vbs
+[LINK-2]: /windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
+[LINK-3]: https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815
+[LINK-4]: https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340
+[LINK-5]: /windows/security/hardware-security/kernel-dma-protection-for-thunderbolt
+[LINK-6]: /windows/security/hardware-security/system-guard-secure-launch-and-smm-protection
+[LINK-7]: /windows-hardware/drivers/bringup/firmware-attack-surface-reduction
+[LINK-8]: /windows-hardware/design/device-experiences/oem-highly-secure-11
+[LINK-9]: /en-us/azure/certification/overview
+[LINK-10]: /windows/client-management/mdm/config-lock
diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md
index f6a8137aac..7d1f8669b1 100644
--- a/windows/security/book/hardware-security.md
+++ b/windows/security/book/hardware-security.md
@@ -1,16 +1,16 @@
---
-title: Hardware security
-description: Windows 11 security book - Hardware security chapter.
+title: Windows 11 security book - Hardware security
+description: Hardware security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Hardware security
:::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
-:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+Today's ever-evolving threats require strong alignment between hardware and software to keep users, data, and devices protected. The operating system and software alone can't defend against the wide range of tools used by cybercriminals to steal credentials, take data, and implant malware.
-Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
+In partnership with our silicon and device manufacturing partners, Windows 11 devices shield software, hardware, and firmware with features like Trusted Platform Module (TPM) 2.0, Microsoft Pluton, and Virtualization-based security (VBS). Windows 11 devices provide hardware-backed protection by default to significantly improve security while maintaining the performance that users expect.
-With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
+:::image type="content" source="images/hardware-on.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index f5b1e3d1a4..0e35e41bc8 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -1,85 +1,98 @@
---
-title: Identity protection - Advanced credential protection
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Advanced credential protection
+description: Identity protection chapter - Advanced credential protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Advanced credential protection
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
-## Enhanced phishing protection with Microsoft Defender SmartScreen
-
-As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
-
-However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
-
## Local Security Authority (LSA) protection
-Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account.
-To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
+By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
+
+Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
+
+To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Configuring additional LSA protection][LINK-2]
## Credential Guard
-Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+:::row:::
+ :::column:::
+ Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="images/credential-guard-architecture.png" border="false":::
+ :::column-end:::
+:::row-end:::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Protect derived domain credentials with Credential Guard][LINK-3]
## Remote Credential Guard
Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
-Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
+Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
+- [Remote Credential Guard][LINK-4]
-## Token protection
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: VBS key protection
-Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[9\]](conclusion.md#footnote9) can be configured to require token protection when using sign-in tokens for specific services.
+VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
+- [Advancing key protection in Windows using VBS][LINK-8]
-## Sign-in session token protection policy
+## Token protection (preview)
-At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
+- [Token protection in Entra ID Conditional Access][LINK-5]
+
+### Sign-in session token protection policy
+
+This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
## Account lockout policies
-New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
+New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
-The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
+The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
+- [Account lockout policy][LINK-6]
## Access management and control
-Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
+Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions.
Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
@@ -87,10 +100,20 @@ IT administrators can refine the application and management of access to:
- Protect a greater number and variety of network resources from misuse
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
-- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
-- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
+- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Access control](/windows/security/identity-protection/access-control/access-control)
+- [Access control][LINK-7]
+
+
+
+[LINK-2]: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+[LINK-3]: /windows/security/identity-protection/credential-guard
+[LINK-4]: /windows/security/identity-protection/remote-credential-guard
+[LINK-5]: /azure/active-directory/conditional-access/concept-token-protection
+[LINK-6]: /windows/security/threat-protection/security-policy-settings/account-lockout-policy
+[LINK-7]: /windows/security/identity-protection/access-control/access-control
+[LINK-8]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988
\ No newline at end of file
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 00ee61f822..5187c49058 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -1,172 +1,243 @@
---
-title: Identity protection - Passwordless sign-in
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Passwordless sign-in
+description: Identity protection chapter - Passwordless sign-in.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Passwordless sign-in
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
-Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
+Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services.
## Windows Hello
-Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
-[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
-PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
-## Windows Hello for Business
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+- [Configure Windows Hello][LINK-1]
-## Windows Hello for Business Passwordless
-
-Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
-
-IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
-
-During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
-
-Provisioning methods include:
-
-- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
-- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
-
-Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
-
-Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
-
-Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
-
-## Windows Hello PIN
+### Windows Hello PIN
The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
-## Windows Hello biometric sign-in
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
+If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors.
-Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
+### Windows Hello biometric
-If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
+Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in.
-## Windows Hello Enhanced Sign-in Security
+Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment.
-Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition.
-Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
-
-Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-## Windows Hello for Business multi-factor unlock
-
-For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
-
-Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
+- [Windows Hello biometric requirements][LINK-4]
## Windows presence sensing
-Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+Windows presence sensing[\[9\]](conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
-Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
+Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
-## Developer APIs and app privacy support for presence sensing
+Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
-Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.
-Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- [Presence sensing][LINK-7]
+- [Manage presence sensing settings in Windows 11][LINK-8]
-- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
-- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
+## Windows Hello for Business
-## FIDO support
+Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
-The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device.
-Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+Provisioning methods include:
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password
+- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
+- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app
-- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
+Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account.
-## Passkeys
+There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments.
-Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
+- [Windows Hello for Business overview][LINK-2]
+- [Enable passkeys (FIDO2) for your organization][LINK-9]
-Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
+### PIN reset
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4).
-- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
+Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [PIN reset][LINK-15]
+
+### Multi-factor unlock
+
+For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
+
+Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Multi-factor unlock][LINK-6]
+
+### Windows passwordless experience
+
+**Windows Hello for Business now support a fully passwordless experience.**
+
+IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
+
+Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows passwordless experience][LINK-3]
+
+## Enhanced Sign-in Security (ESS)
+
+Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+
+Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+
+These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes.
+
+Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Hello Enhanced Sign-in Security][LINK-5]
+
+## FIDO2
+
+The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+
+Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+
+### Passkeys
+
+Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in.
+
+Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**.
+
+:::row:::
+ :::column span="2":::
+[!INCLUDE [coming-soon](includes/coming-soon.md)]
+
+The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" border="false" source="images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="images/passkey-save-3p.png":::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Support for passkeys in Windows][LINK-10]
+- [Enable passkeys (FIDO2) for your organization][LINK-9]
## Microsoft Authenticator
-The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
+The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business.
-Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
-
-Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
+Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it.
Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
+- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11]
-## Smart cards for Windows service
+## Web sign-in
-Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
+With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider.
-**Smart cards provide:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
+- [Web sign-in for Windows][LINK-13]
+
+## Federated sign-in
+
+Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Configure federated sign-in for Windows devices][LINK-14]
+
+## Smart cards
+
+Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
+
+Smart cards provide:
+
+- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation
- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
-When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
+When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
-- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-## Federated sign-in
+- [Smart Card technical reference][LINK-12]
-Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
+## Enhanced phishing protection in Microsoft Defender SmartScreen
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
-- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
+We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16]
+
+
+
+[LINK-1]: https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0
+[LINK-2]: /windows/security/identity-protection/hello-for-business
+[LINK-3]: /windows/security/identity-protection/passwordless-experience
+[LINK-4]: /windows-hardware/design/device-experiences/windows-hello-biometric-requirements
+[LINK-5]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
+[LINK-6]: /windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
+[LINK-7]: /windows-hardware/design/device-experiences/sensors-presence-sensing
+[LINK-8]: https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb
+[LINK-9]: /entra/identity/authentication/how-to-enable-passkey-fido2
+[LINK-10]: /windows/security/identity-protection/passkeys
+[LINK-11]: /entra/identity/authentication/concept-authentication-authenticator-app
+[LINK-12]: /windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference
+[LINK-13]: /windows/security/identity-protection/web-sign-in
+[LINK-14]: /education/windows/federated-sign-in
+[LINK-15]: /windows/security/identity-protection/hello-for-business/pin-reset
+[LINK-16]: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
index d614925654..41d1b6bca6 100644
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@@ -1,16 +1,16 @@
---
-title: Identity protection
-description: Windows 11 security book -Identity protection chapter.
+title: Windows 11 security book - Identity protection
+description: Identity protection chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Identity protection
:::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
-:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today.
-Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources.
-Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
+:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
diff --git a/windows/security/book/images/access-work-or-school.png b/windows/security/book/images/access-work-or-school.png
index 4c256ca182..69fca1f5fa 100644
Binary files a/windows/security/book/images/access-work-or-school.png and b/windows/security/book/images/access-work-or-school.png differ
diff --git a/windows/security/book/images/application-security-cover.png b/windows/security/book/images/application-security-cover.png
index 3d8d9aa3d9..d49cf4a173 100644
Binary files a/windows/security/book/images/application-security-cover.png and b/windows/security/book/images/application-security-cover.png differ
diff --git a/windows/security/book/images/application-security-on.png b/windows/security/book/images/application-security-on.png
index d15844943d..97b86789d5 100644
Binary files a/windows/security/book/images/application-security-on.png and b/windows/security/book/images/application-security-on.png differ
diff --git a/windows/security/book/images/application-security.png b/windows/security/book/images/application-security.png
index bebbcf3891..2188dd6a91 100644
Binary files a/windows/security/book/images/application-security.png and b/windows/security/book/images/application-security.png differ
diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg
new file mode 100644
index 0000000000..c4df2e11d2
--- /dev/null
+++ b/windows/security/book/images/azure-attestation.svg
@@ -0,0 +1,20 @@
+
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index 08f370e1f9..e26a786101 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/cloud-security-on.png b/windows/security/book/images/cloud-security-on.png
index eb2666b9fa..a902352b0e 100644
Binary files a/windows/security/book/images/cloud-security-on.png and b/windows/security/book/images/cloud-security-on.png differ
diff --git a/windows/security/book/images/cloud-security.png b/windows/security/book/images/cloud-security.png
index 2d1b118594..e483a71861 100644
Binary files a/windows/security/book/images/cloud-security.png and b/windows/security/book/images/cloud-security.png differ
diff --git a/windows/security/book/images/cloud-services-cover.png b/windows/security/book/images/cloud-services-cover.png
index d5961c347e..f33886677a 100644
Binary files a/windows/security/book/images/cloud-services-cover.png and b/windows/security/book/images/cloud-services-cover.png differ
diff --git a/windows/security/book/images/cover.png b/windows/security/book/images/cover.png
index 4d5b549c44..dd1c91f28b 100644
Binary files a/windows/security/book/images/cover.png and b/windows/security/book/images/cover.png differ
diff --git a/windows/security/book/images/credential-guard-architecture.png b/windows/security/book/images/credential-guard-architecture.png
new file mode 100644
index 0000000000..fd55100713
Binary files /dev/null and b/windows/security/book/images/credential-guard-architecture.png differ
diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg
new file mode 100644
index 0000000000..bf135a593b
--- /dev/null
+++ b/windows/security/book/images/defender-for-endpoint.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/book/images/device-registration.png b/windows/security/book/images/device-registration.png
new file mode 100644
index 0000000000..b6ee9cebf1
Binary files /dev/null and b/windows/security/book/images/device-registration.png differ
diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png
index 89bc3c7a69..79dbe2aee5 100644
Binary files a/windows/security/book/images/hardware-on.png and b/windows/security/book/images/hardware-on.png differ
diff --git a/windows/security/book/images/hardware-security-cover.png b/windows/security/book/images/hardware-security-cover.png
index 5328456231..da283d2f4f 100644
Binary files a/windows/security/book/images/hardware-security-cover.png and b/windows/security/book/images/hardware-security-cover.png differ
diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png
index 9f526775df..a16761650c 100644
Binary files a/windows/security/book/images/hardware.png and b/windows/security/book/images/hardware.png differ
diff --git a/windows/security/book/images/identity-protection-cover.png b/windows/security/book/images/identity-protection-cover.png
index 6fe6084305..12dd9d85bd 100644
Binary files a/windows/security/book/images/identity-protection-cover.png and b/windows/security/book/images/identity-protection-cover.png differ
diff --git a/windows/security/book/images/identity-protection-on.png b/windows/security/book/images/identity-protection-on.png
index c099ebb82f..5c8f53c733 100644
Binary files a/windows/security/book/images/identity-protection-on.png and b/windows/security/book/images/identity-protection-on.png differ
diff --git a/windows/security/book/images/identity-protection.png b/windows/security/book/images/identity-protection.png
index 300e3d89ef..08f3192393 100644
Binary files a/windows/security/book/images/identity-protection.png and b/windows/security/book/images/identity-protection.png differ
diff --git a/windows/security/book/images/information.svg b/windows/security/book/images/information.svg
new file mode 100644
index 0000000000..570c319c9a
--- /dev/null
+++ b/windows/security/book/images/information.svg
@@ -0,0 +1,12 @@
+
diff --git a/windows/security/book/images/kiosk.png b/windows/security/book/images/kiosk.png
new file mode 100644
index 0000000000..01a7daaee9
Binary files /dev/null and b/windows/security/book/images/kiosk.png differ
diff --git a/windows/security/book/images/learn-more.svg b/windows/security/book/images/learn-more.svg
deleted file mode 100644
index 947593db41..0000000000
--- a/windows/security/book/images/learn-more.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg
new file mode 100644
index 0000000000..5cb2cfe7be
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-id.svg
@@ -0,0 +1,8 @@
+
diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg
new file mode 100644
index 0000000000..714722c739
--- /dev/null
+++ b/windows/security/book/images/microsoft-intune.svg
@@ -0,0 +1,23 @@
+
diff --git a/windows/security/book/images/new-button-title.svg b/windows/security/book/images/new-button-title.svg
new file mode 100644
index 0000000000..15ea7247a2
--- /dev/null
+++ b/windows/security/book/images/new-button-title.svg
@@ -0,0 +1,6 @@
+
diff --git a/windows/security/book/images/new-button.svg b/windows/security/book/images/new-button.svg
new file mode 100644
index 0000000000..49bd889d96
--- /dev/null
+++ b/windows/security/book/images/new-button.svg
@@ -0,0 +1,13 @@
+
diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg
new file mode 100644
index 0000000000..6f9ac42e61
--- /dev/null
+++ b/windows/security/book/images/onedrive.svg
@@ -0,0 +1,29 @@
+
diff --git a/windows/security/book/images/operating-system-on.png b/windows/security/book/images/operating-system-on.png
index d97bd2a9ba..524c7ac372 100644
Binary files a/windows/security/book/images/operating-system-on.png and b/windows/security/book/images/operating-system-on.png differ
diff --git a/windows/security/book/images/operating-system-security-cover.png b/windows/security/book/images/operating-system-security-cover.png
index 955891f34d..c3b24e0a2a 100644
Binary files a/windows/security/book/images/operating-system-security-cover.png and b/windows/security/book/images/operating-system-security-cover.png differ
diff --git a/windows/security/book/images/operating-system.png b/windows/security/book/images/operating-system.png
index 288e01fc73..c5bfb38b42 100644
Binary files a/windows/security/book/images/operating-system.png and b/windows/security/book/images/operating-system.png differ
diff --git a/windows/security/book/images/passkey-save-3p.png b/windows/security/book/images/passkey-save-3p.png
new file mode 100644
index 0000000000..747bdc074b
Binary files /dev/null and b/windows/security/book/images/passkey-save-3p.png differ
diff --git a/windows/security/book/images/pde.png b/windows/security/book/images/pde.png
new file mode 100644
index 0000000000..5ed0a99cf5
Binary files /dev/null and b/windows/security/book/images/pde.png differ
diff --git a/windows/security/book/images/privacy-cover.png b/windows/security/book/images/privacy-cover.png
index 09a4364bb0..e7a0a5825c 100644
Binary files a/windows/security/book/images/privacy-cover.png and b/windows/security/book/images/privacy-cover.png differ
diff --git a/windows/security/book/images/privacy-on.png b/windows/security/book/images/privacy-on.png
index 83e4d59c8b..be6f888dce 100644
Binary files a/windows/security/book/images/privacy-on.png and b/windows/security/book/images/privacy-on.png differ
diff --git a/windows/security/book/images/privacy.png b/windows/security/book/images/privacy.png
index f0772e28ba..4a87f077fb 100644
Binary files a/windows/security/book/images/privacy.png and b/windows/security/book/images/privacy.png differ
diff --git a/windows/security/book/images/secure-launch.png b/windows/security/book/images/secure-launch.png
index dd00cdc393..d83d884e44 100644
Binary files a/windows/security/book/images/secure-launch.png and b/windows/security/book/images/secure-launch.png differ
diff --git a/windows/security/book/images/security-foundation-cover.png b/windows/security/book/images/security-foundation-cover.png
index 5fdd9c7a92..9c97b0284c 100644
Binary files a/windows/security/book/images/security-foundation-cover.png and b/windows/security/book/images/security-foundation-cover.png differ
diff --git a/windows/security/book/images/security-foundation-on.png b/windows/security/book/images/security-foundation-on.png
index d6ddf2af1f..c0c23101bb 100644
Binary files a/windows/security/book/images/security-foundation-on.png and b/windows/security/book/images/security-foundation-on.png differ
diff --git a/windows/security/book/images/security-foundation.png b/windows/security/book/images/security-foundation.png
index 2810449234..ba54e5a0ba 100644
Binary files a/windows/security/book/images/security-foundation.png and b/windows/security/book/images/security-foundation.png differ
diff --git a/windows/security/book/images/sfi.png b/windows/security/book/images/sfi.png
new file mode 100644
index 0000000000..4bd6163fb2
Binary files /dev/null and b/windows/security/book/images/sfi.png differ
diff --git a/windows/security/book/images/soon-arrow.svg b/windows/security/book/images/soon-arrow.svg
new file mode 100644
index 0000000000..fc259c2605
--- /dev/null
+++ b/windows/security/book/images/soon-arrow.svg
@@ -0,0 +1,14 @@
+
diff --git a/windows/security/book/images/soon-button-title.svg b/windows/security/book/images/soon-button-title.svg
new file mode 100644
index 0000000000..c0b233518c
--- /dev/null
+++ b/windows/security/book/images/soon-button-title.svg
@@ -0,0 +1,7 @@
+
diff --git a/windows/security/book/images/uac-settings.png b/windows/security/book/images/uac-settings.png
deleted file mode 100644
index d4a8fc4bb0..0000000000
Binary files a/windows/security/book/images/uac-settings.png and /dev/null differ
diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg
new file mode 100644
index 0000000000..3c5d0761a2
--- /dev/null
+++ b/windows/security/book/images/universal-print.svg
@@ -0,0 +1,24 @@
+
diff --git a/windows/security/book/images/vbs-diagram.png b/windows/security/book/images/vbs-diagram.png
new file mode 100644
index 0000000000..c8a27ea370
Binary files /dev/null and b/windows/security/book/images/vbs-diagram.png differ
diff --git a/windows/security/book/images/windows-security.png b/windows/security/book/images/windows-security.png
new file mode 100644
index 0000000000..558b4790e0
Binary files /dev/null and b/windows/security/book/images/windows-security.png differ
diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg
new file mode 100644
index 0000000000..7882c89525
--- /dev/null
+++ b/windows/security/book/images/windows-security.svg
@@ -0,0 +1,24 @@
+
diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md
new file mode 100644
index 0000000000..e993800f31
--- /dev/null
+++ b/windows/security/book/includes/administrator-protection.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection
+
+When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
+
+Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
+
+When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
+
+> [!NOTE]
+> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/how-user-account-control-works).
\ No newline at end of file
diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md
new file mode 100644
index 0000000000..32e39cdd35
--- /dev/null
+++ b/windows/security/book/includes/app-containers.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## App containers
+
+In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
+
+Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md
new file mode 100644
index 0000000000..c6b63cb102
--- /dev/null
+++ b/windows/security/book/includes/app-control-for-business.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## App Control for Business
+
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+
+Microsoft Intune[\[4\]](..\conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
diff --git a/windows/security/book/includes/coming-soon.md b/windows/security/book/includes/coming-soon.md
new file mode 100644
index 0000000000..4122be1932
--- /dev/null
+++ b/windows/security/book/includes/coming-soon.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon[\[7\]](..\conclusion.md#footnote7)**
diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md
new file mode 100644
index 0000000000..7ed46da843
--- /dev/null
+++ b/windows/security/book/includes/learn-more.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/information.svg" border="false"::: **Learn more**
diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
new file mode 100644
index 0000000000..73ddeba96b
--- /dev/null
+++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Microsoft vulnerable driver blocklist
+
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
\ No newline at end of file
diff --git a/windows/security/book/includes/new-24h2.md b/windows/security/book/includes/new-24h2.md
new file mode 100644
index 0000000000..b90019f189
--- /dev/null
+++ b/windows/security/book/includes/new-24h2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2**
diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md
new file mode 100644
index 0000000000..9d3548d40f
--- /dev/null
+++ b/windows/security/book/includes/smart-app-control.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Smart App Control
+
+Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
+
+Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
+
+We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
+
+To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
+
+Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
\ No newline at end of file
diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md
new file mode 100644
index 0000000000..123195a9cc
--- /dev/null
+++ b/windows/security/book/includes/trusted-signing.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing
+
+Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [What is Trusted Signing](/azure/trusted-signing/overview)
diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md
new file mode 100644
index 0000000000..238c1d1681
--- /dev/null
+++ b/windows/security/book/includes/virtualization-based-security-enclaves.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
+
+A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks.
+
+VBS enclaves are available starting in Windows 11, version 24H2, and Windows Server 2025 on both x64 and ARM64.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves)
diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md
new file mode 100644
index 0000000000..88ab8625b0
--- /dev/null
+++ b/windows/security/book/includes/win32-app-isolation.md
@@ -0,0 +1,41 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation
+
+Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
+
+Win32 app isolation follows a two-step process:
+
+- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
+- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
+
+To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
+
+To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
+
+- Approaches for accessing data and privacy information
+- Integrating Win32 apps for compatibility with other Windows interfaces
+
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Win32 app isolation overview][LINK-4]
+- [Application Capability Profiler (ACP)][LINK-5]
+- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
+- [Sandboxing Python with Win32 app isolation][LINK-7]
+
+
+
+[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
+[LINK-2]: /windows/win32/secauthz/access-control-lists
+[LINK-4]: /windows/win32/secauthz/app-isolation-overview
+[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
+[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
+[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md
new file mode 100644
index 0000000000..8e2f55f747
--- /dev/null
+++ b/windows/security/book/includes/windows-sandbox.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md
new file mode 100644
index 0000000000..957410b0fb
--- /dev/null
+++ b/windows/security/book/includes/windows-subsystem-for-linux.md
@@ -0,0 +1,35 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Windows Subsystem for Linux (WSL)
+
+With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
+- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
+- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
+
+These features can be set up using a device management solution such as Microsoft Intune[\[7\]](../conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Hyper-V Firewall][LINK-1]
+- [DNS Tunneling][LINK-2]
+- [Auto proxy][LINK-3]
+- [Intune setting for WSL][LINK-4]
+- [Microsoft Defender for Endpoint plug-in for WSL][LINK-5]
+
+
+
+[LINK-1]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
+[LINK-2]: /windows/wsl/networking#dns-tunneling
+[LINK-3]: /windows/wsl/networking#auto-proxy
+[LINK-4]: /windows/wsl/intune
+[LINK-5]: /defender-endpoint/mde-plugin-wsl
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index 3fddf8be3c..3ee48c98ad 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -1,55 +1,61 @@
---
-title: Windows security book introduction
-description: Windows security book introduction
+title: Windows 11 security book - Windows security book introduction
+description: Windows 11 security book introduction.
ms.topic: overview
-ms.date: 04/09/2024
-ROBOTS:
+ms.date: 11/18/2024
---
# Windows 11 Security Book
-:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book.":::
+:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book." border="false":::
## Introduction
-Emerging technologies and evolving business trends bring new opportunities and challenges for organizations of all sizes. As technology and workstyles transform, so does the threat landscape with growing numbers of increasingly sophisticated attacks on organizations and employees.
+Today's organizations face a world of accelerated change, from marketplace fluctuation and sociopolitical events to the rapid adoption of new AI technologies. However, as organizations and industries innovate, so do increasingly sophisticated cybercriminals. Research shows that employees, including their devices, services, and identities, are at the center of attacks on businesses of all sizes. Some leading threats include identity attacks, ransomware, targeted phishing attempts, and business email compromise[\[1\]](conclusion.md#footnote1).
-To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
+To address the ever-growing and changing threat landscape, we announced the [Secure Future Initiative (SFI)][LINK-1] in November 2023. The SFI endeavors to advance cybersecurity protection across all our company and products.
-In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches [\[1\]](conclusion.md#footnote1).
+Microsoft is committed to putting security above all else, with products and services that are secure by design and secure by default. We synthesize more than 65 trillion signals daily to understand digital threats and criminal cyberactivity[\[1\]](conclusion.md#footnote1). Through the SFI initiative, we've dedicated the equivalent of 34,000 full-time engineers to the highest priority security tasks. We continuously apply what we learn from incidents to improve our security and privacy models, security architecture, and technical controls.
-At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers [\[2\]](conclusion.md#footnote2).
+### Security by design. Security by default.
-Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
+Working together with a shared focus is key to improving global security, from individuals and organizations to governments and industries. The world is moving toward a [secure by design and secure by default][LINK-2] approach, where technology producers are tasked with incorporating security during the initial design phase, and offering products that deliver protection right out of the box. As part of our commitment to making the world a safer place, we build security into every innovation. Windows 11 is secure by design and secure by default, with layers of defense enabled on day one to enhance your protection without the need to first configure settings. This secure-by-design approach spans the Windows edition range including Pro, Enterprise, IoT Enterprise, and Education editions. Copilot+ PCs are the fastest, most intelligent Windows devices ever, and they're also the most secure. These groundbreaking AI PCs come with secured-core PC protection and the latest safeguards like Microsoft Pluton and Windows Enhanced Sign-in Security enabled by default.
-To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance [\[3\]](conclusion.md#footnote3). Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 [\[4\]](conclusion.md#footnote4).
+Except for Windows IoT Long-Term Servicing Channel (LTSC) editions, support for Windows 10 is ending soon on October 14, 2025. Upgrading or replacing outdated devices before Windows 10 support ends is a critical priority for building a strong security posture. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are relying on Windows 11.
-## Security priorities and benefits
+### Security priorities and benefits
-### Security by design and security by default
+Windows 11 enables you to focus on your work, not your security settings. Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 62% drop in security incidents, including a 3.0x reduction in firmware attacks[\[2\]](conclusion.md#footnote2).
-Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** [\[5\]](conclusion.md#footnote5).
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation[\[3\]](conclusion.md#footnote3), token protection[\[3\]](conclusion.md#footnote3), passkeys, and Microsoft Intune Endpoint Privilege Management[\[4\]](conclusion.md#footnote4) are some of the latest capabilities that help protect organizations and individual users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0, biometric scanners, and Windows presence sensing to enable easier, secure sign-on and protection of your data and credentials.
-In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation [\[6\]](conclusion.md#footnote6), token protection [\[6\]](conclusion.md#footnote6), and Microsoft Intune Endpoint Privilege Management [\[7\]](conclusion.md#footnote7) are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
+Existing security features are also continuously enhanced across Windows 11. For example, BitLocker encryption has been optimized for additional security and performance, and is available on more devices.
-### Protect employees against evolving threats
+### Identity protection
-With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** [\[5\]](conclusion.md#footnote5).
+Attackers are increasingly targeting employees and their devices, so organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities, and features like passkeys and secure biometric sign-in virtually eliminate the risk of lost or stolen passwords[\[5\]](conclusion.md#footnote5). Enhanced phishing protection also increases safety; in fact, businesses reported 2.9x fewer instances of identity theft with the hardware-backed protection in Windows 11[\[2\]](conclusion.md#footnote2).
-### Gain mission-critical application safeguards
+### Application safeguards
-Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of application security that shield critical data and code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
+Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of security that shield critical data and defend code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated defense helps protect against breaches and malware, assists in keeping data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
-### End-to-end protection with modern management
+With Trusted Signing, developers can effortlessly sign their applications. This process ensures the authenticity and integrity of the applications while enhancing security features to prevent and mitigate the impacts of malware on Windows.
-Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% [\[8\]](conclusion.md#footnote8).
+### Device health and access control
-## Security by design and default
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft provides the tools needed to attest that the devices connecting to your network, or accessing your data and resources, are trustworthy. You can enforce security policies and conditional access with cloud-based device management solutions such as Microsoft Intune, Microsoft Entra ID, and a comprehensive security baseline. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 improves productivity for IT and security teams by a reported 25%[\[6\]](conclusion.md#footnote6).
-In Windows 11, hardware and software work together to protect sensitive data from the core of your PC all the way to the cloud. Comprehensive protection helps keep your organization secure, no matter where people work. This simple diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
+### Chip-to-cloud security
+
+In Windows 11, hardware and software work together to protect sensitive data, from the core of the device all the way to the cloud. Comprehensive protection helps keep organizations secure, no matter where people work. The following diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)
+- [Windows security features licensing and edition requirements](../licensing-and-edition-requirements.md)
+
+
+
+[LINK-1]: https://www.microsoft.com/trust-center/security/secure-future-initiative
+[LINK-2]: https://www.cisa.gov/resources-tools/resources/secure-by-design
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index c574d203f1..d9ab85a02b 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -1,74 +1,95 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Encryption and data protection
+description: Operating System security chapter - Encryption and data protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Encryption and data protection
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
## BitLocker
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure[\[9\]](conclusion.md#footnote9) can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune[\[6\]](conclusion.md#footnote6)> using a configuration service provider (CSP)[\[9\]](conclusion.md#footnote9). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
+BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](conclusion.md#footnote4).
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
-## BitLocker To Go
+### BitLocker To Go
-BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
+BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
-## Device Encryption
+## Device encryption
-Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
+Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
## Encrypted hard drive
-Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
+Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
Encrypted hard drives enable:
-- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
-- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
-- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need
-to re-encrypt data on the drive
-- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
+- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
+- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
+- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive
+- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
-## Personal data encryption
+## Personal Data Encryption
-Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
-With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they'll be able to get PDE security as part of the OS.
+The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
-PDE requires Microsoft Entra ID.
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
-- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
+:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false":::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md)
## Email encryption
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
+Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
-These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
+The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
-However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
+When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
+- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
+- [Email encryption](/purview/email-encryption)
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
index 5638c71bce..fff427b5b2 100644
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -1,58 +1,56 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Network security
+description: Operating System security chapter - Network security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Network security
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
-New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
+New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, and new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall platforms offer new ways to easily configure and debug software.
In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [How to protect your network](/defender-endpoint/network-protection)
+- [How to protect your network][LINK-1]
-## Transport layer security (TLS)
+## Transport Layer Security (TLS)
-Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
+Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
-TLS 1.3 is the latest version of the protocol and is enabled by default starting with Windows 11 and Windows Server 2022. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and encrypts as much of the TLS handshake as possible. The handshake is more performant, with one fewer round trip per connection on average, and supports only five strong cipher suites, which provide perfect forward secrecy and reduced operational risk.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQuic, and more) will get enhanced privacy and lower latencies for their encrypted online connections. Note that if either the client or server does not support TLS 1.3, Windows will fall back to TLS 1.2.
+- [TLS/SSL overview (Schannel SSP)][LINK-2]
+- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows][LINK-3]
-Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
-- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
-
-## DNS security
+## Domain Name System (DNS) security
In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
-name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
+name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
-Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
+Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
-Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
+Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
## Bluetooth protection
The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
-IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune[\[9\]](conclusion.md#footnote9). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
-## Securing Wi-Fi connections
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Policy CSP - Bluetooth][LINK-4]
+
+## Wi-Fi connections
Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
@@ -66,30 +64,33 @@ Opportunistic Wireless Encryption (OWE), a technology that allows wireless devic
5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server)
+- [eSIM configuration of a download server][LINK-5]
## Windows Firewall
-Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an important part of a layered security model. It provides host-based, two-way network traffic
+Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic
filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
-Windows Firewall in Windows 11 offers the following benefits:
+Windows Firewall offers the following benefits:
-- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
-ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
+- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
-- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
+- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
-Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
+Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
-Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[9\]](conclusion.md#footnote9), leveraging the platform
-support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
+Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-- [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
+The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Firewall overview][LINK-6]
+- [Firewall CSP][LINK-7]
## Virtual private networks (VPN)
@@ -97,32 +98,42 @@ Organizations have long relied on Windows to provide reliable, secured, and mana
protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
consumer VPNs, including apps for the most popular enterprise VPN gateways.
-In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app for more control.
+In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
-The Windows VPN platform connects to Microsoft Entra ID[\[9\]](conclusion.md#footnote9) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+The Windows VPN platform connects to Microsoft Entra ID[\[4\]](conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
-The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
+The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Windows VPN technical guide](../operating-system-security/network-security/vpn/vpn-guide.md)
+- [Windows VPN technical guide][LINK-8]
## Server Message Block file services
-Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant security updates to meet today's threats, including AES-256 encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new scenario, SMB over QUIC for untrusted networks.
+Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes.
-SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
+Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks.
-In Windows 11 Enterprise, Education, Pro, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional Transmission Control Protocol (TCP) and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now, data is encrypted before placement, leading to relatively minor performance degradation while adding packet privacy with AES-128 and AES-256 protection.
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
-Windows 11 also introduces AES-128-GMAC for SMB signing. Windows will automatically negotiate this better-performing cipher method when connecting to another computer that supports it. Signing prevents common attacks like relay and spoofing, and it is required by default when clients communicate with Active Directory domain controllers.
+New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements.
-Finally, Windows 11 introduces SMB over QUIC, an alternative to the TCP network transport that provides secure, reliable connectivity to edge file servers over untrusted networks like the internet, as well as highly secure communications on internal networks. QUIC is an Internet Engineering Task Force (IETF)-standardized protocol with many benefits when compared with TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers an SMB VPN for telecommuters, mobile device users, and high-security organizations. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB over QUIC will be a game-changing feature for Windows 11 accessing Windows file servers and eventually Azure Files and third parties.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Newly installed Windows 11 Home editions that contain the February 2023 cumulative update no longer install the SMB 1.0 client by default, meaning the Home edition now operates like all other editions of Windows 11. SMB 1.0 is an unsafe and deprecated protocol that Microsoft superseded by later versions of SMB starting with Windows Vista. Microsoft began uninstalling SMB 1.0 by default in certain Windows 10 editions in 2017. No versions of Windows 11 now install SMB 1.0 by default.
+- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2][LINK-9]
+- [File sharing using the SMB 3 protocol][LINK-10]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
-- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
+[LINK-1]: /defender-endpoint/network-protection
+[LINK-2]: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+[LINK-3]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947
+[LINK-4]: /windows/client-management/mdm/policy-csp-bluetooth
+[LINK-5]: /mem/intune/configuration/esim-device-configuration-download-server
+[LINK-6]: /windows/security/operating-system-security/network-security/windows-firewall
+[LINK-7]: /windows/client-management/mdm/firewall-csp
+[LINK-8]: /windows/security/operating-system-security/network-security/vpn/vpn-guide
+[LINK-9]: /windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes
+[LINK-10]: /windows-server/storage/file-server/file-server-smb-overview
\ No newline at end of file
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index a3d5e5e95b..dd056f219e 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -1,13 +1,13 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - System security
+description: Operating System security chapter - System security.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# System security
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
## Trusted Boot (Secure Boot + Measured Boot)
@@ -15,23 +15,22 @@ Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'
Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-To reduce the risk of firmware rootkits, the PC verifies that firmware is digitally signed as it begins the boot process. Then Secure Boot checks the OS bootloader's digital signature as well as all code that runs prior to the operating system starting to ensure the signature and code are uncompromised and trusted by the Secure Boot policy.
+To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy.
Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
-Tampering or malware attacks on the Windows boot sequence are blocked by the signature enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+[!INCLUDE [learn-more](includes/learn-more.md)]
-For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
+- [Secure the Windows boot process][LINK-1]
+- [Secure Boot and Trusted Boot][LINK-2]
## Cryptography
Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented.
-Learn more: FIPS 140 validation
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- FIPS 140 validation
Windows cryptographic modules provide low-level primitives such as:
@@ -43,7 +42,9 @@ Windows cryptographic modules provide low-level primitives such as:
Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
-Learn more: Cryptography and certificate management
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- Cryptography and certificate management
Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available.
@@ -52,30 +53,30 @@ exchange, opportunities to engage with technical content about Microsoft's produ
## Certificates
-To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or MMC snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and
-certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust have not been revoked or compromised. The CTLs and CRLs on the machine are used as a reference for PKI trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices will be updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Additionally, enterprise certificate pinning can be used to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificate authorities. Any web application triggering a name mismatch will start event logging and prevent user access from Microsoft Edge.
+To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration.
## Code signing and integrity
To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
-The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the Windows Hardware Compatibility Program (WHCP). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
+The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)][LINK-3]. This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
-## Device health attestation
+## Device Health Attestation
-The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
-determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune[\[9\]](conclusion.md#footnote9) reviews device health and connects this information with Microsoft Entra ID[\[9\]](conclusion.md#footnote9) for conditional access.
+The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) for conditional access.
-Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
+Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
-- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Microsoft Azure Attestation Service
+- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service
- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
-Learn more: Control the health of Windows devices
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Control the health of Windows devices][LINK-4]
## Windows security policy settings and auditing
@@ -86,7 +87,7 @@ Security policy settings are a critical part of your overall security strategy.
- Whether to record a user or group's actions in the event log
- Membership in a group
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization.
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies.
All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
@@ -96,34 +97,93 @@ All auditing categories are disabled when Windows is first installed. Before ena
1. Test these settings to validate your choices.
1. Develop plans for deploying and managing your audit policy.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
-- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
+- [Security policy settings][LINK-5]
+- [Security auditing][LINK-6]
-## Assigned Access
+## Windows Security
-With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
+:::row:::
+ :::column span="2":::
+ Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" source="images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/windows-security.png" :::
+ :::column-end:::
+:::row-end:::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Stay protected with Windows Security][LINK-7]
+- [Windows Security][LINK-8]
+
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Config Refresh
+
+With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
+
+By contrast, with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
+
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols.
+
+Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Config Refresh][LINK-9]
+
+## Kiosk mode
+
+:::row:::
+ :::column span="2":::
+ Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
+ :::column-end:::
+ :::column span="2":::
+:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" :::
+ :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
-## Config Refresh
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Windows protected print
-With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
+Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack.
-By contrast, with an MDM solution like Microsoft Intune[\[9\]](conclusion.md#footnote9), policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
+The benefits of Windows protected print include:
-Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
+- Increased PC security
+- Simplified and consistent printing experience, regardless of PC architecture
+- Removes the need to manage print drivers
-Config Refresh can also be *paused* for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a PC for troubleshooting purposes. It can also be resumed at any time by an administrator.
+Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible.
-## Windows security settings
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+- [Windows protected print][LINK-10]
+- [New, modern, and secure print experience from Windows][LINK-11]
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Rust for Windows
-- [Windows security settings](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
-- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
+Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector.
+We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Rust for Windows, and the windows crate][LINK-12]
+
+
+
+[LINK-1]: /windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process
+[LINK-2]: /windows/security/operating-system-security/system-security/trusted-boot
+[LINK-3]: /windows-hardware/design/compatibility/
+[LINK-4]: /windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices
+[LINK-5]: /windows/security/threat-protection/security-policy-settings/security-policy-settings
+[LINK-6]: /windows/security/threat-protection/auditing/security-auditing-overview
+[LINK-7]: https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963
+[LINK-8]: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
+[LINK-9]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921
+[LINK-10]: /windows-hardware/drivers/print/modern-print-platform
+[LINK-11]: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645
+[LINK-12]: /windows/dev-environment/rust/rust-for-windows
diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md
index c5873bd86f..cb69b30617 100644
--- a/windows/security/book/operating-system-security-virus-and-threat-protection.md
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@@ -1,13 +1,13 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Virus and threat protection
+description: Operating System security chapter - Virus and threat protection.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Virus and threat protection
+# Virus and threat protection in Windows 11
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats.
@@ -25,29 +25,59 @@ SmartScreen also determines whether a downloaded app or app installer is potenti
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
-With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[9\]](conclusion.md#footnote9). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
-The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
+The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/).
+
+## Network protection
+
+While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files.
+
+When using Network Protection with Microsoft Defender for Endpoint, you'll be able to use Indicators of Compromise to block specific URL's and/or ip addresses.
+Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering.
+
+[Network Protection library](/defender-endpoint/network-protection)
+[Web protection library](/defender-endpoint/web-protection-overview)
+
+## Tamper protection
+
+Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
+
+With tamper protection, malware is prevented from taking actions such as:
+
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
+- Disabling automatic actions on detected threats
+- Disabling archived files
+- Altering exclusions
+- Disabling notifications in the Windows Security app
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
## Microsoft Defender Antivirus
-Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
+Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on.
-Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but are not considered malware.
+Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware.
-Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies provides award-winning protection at home and at work.
+Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work.
:::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false":::
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Next-generation protection with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
+- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows).
-## Attack surface reduction
+## Attack surface reduction rules
-Attack surface reduction rules help prevent software behaviors that are often abused to compromise devices and networks. By reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
+Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
@@ -58,69 +88,32 @@ For example, an attacker might try to run an unsigned script from a USB drive or
For Microsoft Edge and reducing the attack surface across applications, folders, device,
network, and firewall.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)
-
-## Tamper protection
-
-Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
-
-With tamper protection, malware is prevented from taking actions such as:
-
-- Disabling real-time protection
-- Turning off behavior monitoring
-- Disabling antivirus, such as IOfficeAntivirus (IOAV)
-- Disabling cloud-delivered protection
-- Removing security intelligence updates
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
-
-## Exploit protection
-
-Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9), which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune[\[9\]](conclusion.md#footnote9) to distribute the configuration XML file to multiple devices simultaneously.
-
-When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
-
-You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
-
-Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Protecting devices from exploits](/microsoft-365/security/defender-endpoint/enable-exploit-protection)
+- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction)
## Controlled folder access
You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Controlled folder access](/defender-endpoint/controlled-folders)
-## Microsoft Defender for Endpoint
+## Exploit Protection
-Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9) is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats.
+Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously.
-Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
+When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
-- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
-- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[9\]](conclusion.md#footnote9), and online assets
-- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked
-attacks that include 31 billion identity threats and 32 billion email threats
-- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
-detailed investigation outcomes
+You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP).
-Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
-platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
+Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
-- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection)
\ No newline at end of file
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
index f5bf82d057..17141c211b 100644
--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@@ -1,14 +1,16 @@
---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Operating System security
+description: Operating System security chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Operating System security
:::image type="content" source="images/operating-system-security-cover.png" alt-text="Cover of the operating system security chapter." border="false":::
-:::image type="content" source="images/operating-system-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+Operating systems face an onslaught of security threats, from malware and exploits to unauthorized access and privilege escalation. Windows 11 is the most secure Windows yet, with strong operating system safeguards to help keep devices, identities, and data safe.
-Windows 11 is the most secure Windows yet with extensive security measures in the operating system designed to help keep devices, identities, and information safe. These measures include built-in advanced encryption and data protection, robust network system security, and intelligent safeguards against ever-evolving viruses and threats.
+Defenses include a trusted boot process, layers of encryption, network security, and virus and threat protection. These comprehensive security features ensure that Windows 11 provides robust protection against modern cyber threats.
+
+:::image type="content" source="images/operating-system-on.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md
index 01caad195d..9aa5d2bd86 100644
--- a/windows/security/book/privacy-controls.md
+++ b/windows/security/book/privacy-controls.md
@@ -1,17 +1,20 @@
---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy controls
+description: Privacy chapter - Privacy controls.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Privacy controls
-:::image type="content" source="images/privacy.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+## Microsoft Privacy Dashboard
-## Privacy dashboard and report
+Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency.
-Customers can use the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy) to view, export, and delete their information, giving them further transparency and control. They can also use the [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) to learn more about Windows data collection and how to manage it. For enterprises we provide a guide for Windows Privacy Compliance that includes additional details on the available controls and transparency.
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy)
+- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report)
## Privacy transparency and controls
@@ -19,7 +22,7 @@ Prominent system tray icons show users when resources and apps like microphones
## Privacy resource usage
-Every Microsoft customer should be able to use our products secure in the knowledge that we will protect their privacy and give them the information and tools they need to easily make privacy decisions with confidence. Accessed in Settings, the new app usage history feature gives users a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
+Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired.
@@ -27,6 +30,6 @@ This information helps you determine if an app is behaving as expected so that y
The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md
index 19cae8027a..d4acb2ffed 100644
--- a/windows/security/book/privacy.md
+++ b/windows/security/book/privacy.md
@@ -1,16 +1,14 @@
---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy
+description: Privacy chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Privacy
:::image type="content" source="images/privacy-cover.png" alt-text="Cover of the privacy chapter." border="false":::
-:::image type="content" source="images/privacy-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+Privacy is an important priority for individuals and organizations, and the rise of AI is bringing it into even sharper focus. Windows provides privacy controls that can be easily accessed in the Settings app or desktop system tray for speech, location, calendar, microphone, call history, and more. Users can also find more information and manage privacy settings for Microsoft apps and services by signing into their [account dashboard](https://privacy.microsoft.com/).
-[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/).
-
-Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
+:::image type="content" source="images/privacy-on.png" alt-text="Diagram containing a list of security features." lightbox="images/privacy.png" border="false":::
diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md
index fe9fa899fc..1f8c8c878d 100644
--- a/windows/security/book/security-foundation-certification.md
+++ b/windows/security/book/security-foundation-certification.md
@@ -1,19 +1,23 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Certification
+description: Security foundation chapter - Certification.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Certification
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance.
## Federal Information Processing Standard (FIPS)
-The Federal Information Processing Standard (FIPS) Publication 140 is a US government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows FIPS 140 validation][LINK-1]
## Common Criteria (CC)
@@ -21,4 +25,11 @@ Common Criteria (CC) is an international standard currently maintained by nation
Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
-Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](/windows/security/threat-protection/windows-platform-common-criteria)
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Common Criteria certifications][LINK-2]
+
+
+
+[LINK-1]: /windows/security/security-foundations/certification/fips-140-validation
+[LINK-2]: /windows/security/threat-protection/windows-platform-common-criteria
\ No newline at end of file
diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md
index 965ecba6c0..f40f549653 100644
--- a/windows/security/book/security-foundation-offensive-research.md
+++ b/windows/security/book/security-foundation-offensive-research.md
@@ -1,13 +1,28 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Secure Future Initiative and offensive research
+description: Security foundation chapter - Secure Future Initiative and offensive research.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Offensive research
+# Secure Future Initiative and offensive research
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+
+## Secure Future Initiative (SFI)
+
+Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security.
+
+The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security.
+
+To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI.
+
+:::image type="content" source="images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="images/sfi.png" border="false":::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Secure Future Initiative][LINK-6]
+- [September 2024 progress update on SFI][LINK-5]
## Microsoft Security Development Lifecycle (SDL)
@@ -15,28 +30,35 @@ The Microsoft Security Development Lifecycle (SDL) introduces security best prac
## OneFuzz service
-A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
-
-Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
-- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
+A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released.
## Microsoft Offensive Research and Security Engineering
-[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
+Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
-## Windows Insider and Bug Bounty program
+[!INCLUDE [learn-more](includes/learn-more.md)]
-As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
+- [MORSE security team takes proactive approach to finding bugs][LINK-1]
+- [MORSE Blog][LINK-2]
-The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
+## Windows Insider and Microsoft Bug Bounty Programs
-Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quick fix the issues before releasing our final Windows.
+As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
-- [Windows Insider Program](/windows-insider/get-started)
-- [Microsoft bounty programs](https://www.microsoft.com/msrc/bounty)
+Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Insider Program][LINK-3]
+- [Microsoft Bug Bounty Programs][LINK-4]
+
+
+
+[LINK-1]: https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering
+[LINK-2]: https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team
+[LINK-3]: /windows-insider/get-started
+[LINK-4]: https://www.microsoft.com/msrc/bounty
+[LINK-5]: https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/
+[LINK-6]: https://www.microsoft.com/trust-center/security/secure-future-initiative
diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md
index ee2f6ef548..9e638bfbc5 100644
--- a/windows/security/book/security-foundation-secure-supply-chain.md
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@@ -1,22 +1,22 @@
---
-title: Secure supply chain
-description: Windows 11 security book - Security foundation chapter - Secure supply chain.
+title: Windows 11 security book - Secure supply chain
+description: Security foundation chapter - Secure supply chain.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
# Secure supply chain
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
-The end-to-end Windows 11 supply chain is complex, extending from the entire development process to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, as well as the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
+The end-to-end Windows 11 supply chain is complex. It extends from the entire development process, to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, and the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
Microsoft requires the Windows 11 supply chain to comply with controls including:
- Identity management and user access control
- Access control
- Principles of least privilege
- - RBAC
+ - Role-based access control (role-based access control)
- Segregation of duties
- MFAs
- Account management
@@ -42,7 +42,7 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
- Manufacturing security
- Physical security monitoring
- Supplier security control
- - SSPA
+ - Supplier Security and Privacy Assurance (SSPA)
- Supplier screening
- Supplier inventory
- Logistics security control
@@ -53,14 +53,22 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
## Software bill of materials (SBOM)
-In addition to following the above supply chain security controls, SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers.
+In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards.
-Code-signing software is the best way to guarantee application integrity and authenticity and helps users distinguish between trusted applications and malware before downloading or installing. Code signing proprietary applications and software from other organizations greatly reduces the complexity of creating and managing application control policies. Code signing enables the creation and deployment of certificate chain-based application control policies, which can then be cryptographically enforced.
+The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain.
-Traditionally, code signing has been a difficult undertaking due to the complexities involved in obtaining certificates, securely managing those certificates, and integrating a proper signing process into the development and continuous integration and continuous deployment (CI/CD) pipelines.
+By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem.
-## Windows App software development kit (SDK)
+[!INCLUDE [learn-more](includes/learn-more.md)]
-Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+- [SBOM tool](https://github.com/microsoft/sbom-tool)
+- [Code Sign Tool](https://github.com/microsoft/CoseSignTool)
-If you are a developer, you can find security best practices and information at [Windows application development - best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples). For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
+## Windows Software Development Kit (SDK)
+
+Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows application development - best practices](/windows/apps/get-started/best-practices)
+- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples)
\ No newline at end of file
diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md
index f0fb340c8a..2748af0a55 100644
--- a/windows/security/book/security-foundation.md
+++ b/windows/security/book/security-foundation.md
@@ -1,18 +1,14 @@
---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Security foundation
+description: Security foundation chapter.
ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
---
-# Security foundation
+# Security foundation in Windows 11
:::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::
-Microsoft is committed to continuously investing in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest lifecycle phases of all our product design and software development processes. We build in security from the ground up for powerful defense in today's threat environment and have the infrastructure to protect and react quickly to future threats.
+Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
-Every component of the Windows 11 technology stack, from chip-to-cloud, is purposefully built secure by design. Windows 11 meets the modern threats of today's flexible work environments by delivering hardware-based isolation, end-to-end encryption, and advanced malware protection.
-
-With Windows 11, organizations can improve productivity and gain intuitive new experiences without compromising security.
-
-:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
diff --git a/windows/security/book/toc.yml b/windows/security/book/toc.yml
index e1135516e9..928d02f50f 100644
--- a/windows/security/book/toc.yml
+++ b/windows/security/book/toc.yml
@@ -55,11 +55,13 @@ items:
items:
- name: Overview
href: security-foundation.md
- - name: Offensive research
+ - name: Secure Future Initiative and offensive research
href: security-foundation-offensive-research.md
- name: Certification
href: security-foundation-certification.md
- name: Secure supply chain
href: security-foundation-secure-supply-chain.md
- name: Conclusion
- href: conclusion.md
\ No newline at end of file
+ href: conclusion.md
+- name: Features index
+ href: features-index.md
\ No newline at end of file
diff --git a/windows/security/cloud-services/index.md b/windows/security/cloud-services/index.md
deleted file mode 100644
index 9124be688f..0000000000
--- a/windows/security/cloud-services/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows and cloud services
-description: Get an overview of cloud-based services in Windows.
-ms.date: 05/06/2024
-ms.topic: overview
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows and cloud services
-
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
-
-From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
-
-Learn more about cloud-based services in Windows.
-
-[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-services/toc.yml b/windows/security/cloud-services/toc.yml
index 4132706858..92d3eaac86 100644
--- a/windows/security/cloud-services/toc.yml
+++ b/windows/security/cloud-services/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Overview
- href: index.md
- name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
href: /azure/active-directory/devices/concept-azure-ad-join
- name: Security baselines with Intune 🔗
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index b7d4db82be..e0cd0064c8 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -150,7 +150,7 @@
"✅ Windows Server 2016"
],
"book/**/*.md": [
- "✅ Windows 11"
+ "Windows 11"
],
"hardware-security/**/*.md": [
"✅ Windows 11",
@@ -251,7 +251,7 @@
"security-foundations/certification/**/*.md": "paoloma"
},
"ms.collection": {
- "book/*.md": "tier3",
+ "book/*.md": "tier1",
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
@@ -259,9 +259,6 @@
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"security-foundations/certification/**/*.md": "tier3",
"threat-protection/auditing/*.md": "tier3"
- },
- "ROBOTS": {
- "book/*.md": "NOINDEX"
}
},
"template": [],
diff --git a/windows/security/hardware-security/index.md b/windows/security/hardware-security/index.md
deleted file mode 100644
index e8cfb27d50..0000000000
--- a/windows/security/hardware-security/index.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Windows hardware security
-description: Learn more about hardware security features support in Windows.
-ms.date: 07/10/2024
-ms.topic: overview
-appliesto:
----
-
-# Windows hardware security
-
-:::image type="content" source="..\book\images\hardware.png" alt-text="Diagram of containing a list of security features." lightbox="..\book\images\hardware.png" border="false":::
-
-Learn more about hardware security features support in Windows.
-
-[!INCLUDE [hardware](../includes/sections/hardware.md)]
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 92e9f40c56..7cacd9e8a8 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -1,7 +1,5 @@
items:
- - name: Overview
- href: index.md
- - name: Hardware root of trust
+ - name: Hardware root-of-trust
items:
- name: System Guard
href: how-hardware-based-root-of-trust-helps-protect-windows.md
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 55551c53ca..59d5e97382 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,8 +1,8 @@
---
-title: Enterprise certificate pinning
+title: Enterprise Certificate Pinning In Windows
description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: concept-article
-ms.date: 03/12/2024
+ms.date: 12/02/2024
---
# Enterprise certificate pinning overview
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index 553251974a..f2c4e29919 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business cloud-only deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 9b2e6325b4..e4312d8684 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business cloud Kerberos trust deployment guide
description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: tutorial
---
@@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
-> [!NOTE]
-> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+ > [!NOTE]
+ > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
## Migrate from certificate trust deployment model to cloud Kerberos trust
@@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
-1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings).
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.
> [!NOTE]
> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index c97ec8cde9..742939bf9d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -1,7 +1,7 @@
---
title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 2b775003f0..ce6526f4a7 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid key trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
index 6adbe43c94..11af1ac31c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
@@ -1,5 +1,5 @@
---
-ms.date: 06/23/2024
+ms.date: 11/22/2024
ms.topic: include
---
@@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF
For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+
+> [!TIP]
+> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 7446d01e92..73dd0d6cbf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
+1. Open the **Certification Authority** management console.
+1. Expand the parent node from the navigation pane.
+1. Select **Certificate Templates** in the navigation pane.
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue.
+1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority.
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list.
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation.
+1. Close the console.
## Configure the certificate registration authority
@@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
```
>[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
### Enrollment agent certificate lifecycle management
@@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"]
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
>
-> - Configure an enrollment agent certificate template
-> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
-> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
-> - Confirm you properly configured the Windows Hello for Business authentication certificate template
-> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities
-> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template
-> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet
-> Confirm you restarted the AD FS service
-> - Confirm you properly configured load-balancing (hardware or software)
-> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
-> - Confirm you have deployed a MFA solution for AD FS
+> - Configure an enrollment agent certificate template.
+> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
+> - Confirm you properly configured the Windows Hello for Business authentication certificate template.
+> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+> - Confirm you restarted the AD FS service.
+> - Confirm you properly configured load-balancing (hardware or software).
+> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address.
+> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+> - Confirm you have deployed a MFA solution for AD FS.
> [!div class="nextstepaction"]
> [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index d9e217575b..123d35b434 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in an on-premises key trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
index 0aeded8941..efbea47423 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@@ -1,7 +1,7 @@
---
title: Prepare users to provision and use Windows Hello for Business
description: Learn how to prepare users to enroll and to use Windows Hello for Business.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: end-user-help
---
diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
index 7dd1507298..0d5f859326 100644
--- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@@ -1,7 +1,7 @@
---
title: Dual enrollment
description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 05/06/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users
Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object.
```cmd
dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
@@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent
dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
```
-1. To trigger security descriptor propagation, open `ldp.exe`
-1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
-1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user
-1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
-1. Select **Run** to start the task
-1. Close LDP
+1. To trigger security descriptor propagation, open `ldp.exe`.
+1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**.
+1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user.
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**.
+1. Select **Run** to start the task.
+1. Close LDP.
### Configure dual enrollment with group policy
You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
-1. Edit the Group Policy object from step 1
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+1. Edit the Group Policy object from step 1.
1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
-1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
-1. Restart computers targeted by this Group Policy object
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+1. Restart computers targeted by this Group Policy object.
-The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+ The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index 9a2ac25742..26e30724a9 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -47,7 +47,7 @@ sections:
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
+ When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/how-it-works#biometric-data-storage) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index e6b79420ad..aaed7b870d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business known deployment issues
description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
ms.topic: troubleshooting
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index ef8e864841..8524027332 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
title: Windows Hello errors during PIN creation
description: Learn about the Windows Hello error codes that might happen during PIN creation.
ms.topic: troubleshooting
-ms.date: 03/12/2024
+ms.date: 11/22/2024
---
# Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index e1845d9363..b0fc5d6b30 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,7 +1,7 @@
---
title: Dynamic lock
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -19,33 +19,61 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli
1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
1. Close the Group Policy Management Editor to save the Group Policy object.
-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+ The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
-```xml
-
-
-
-```
+ ```xml
+
+
+
+ ```
->[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
+ >[!IMPORTANT]
+ >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
-For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
+ For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
-|Description|Value|
-|:-------------|:-------:|
-|Miscellaneous|0|
-|Computer|256|
-|Phone|512|
-|LAN/Network Access Point|768|
-|Audio/Video|1024|
-|Peripheral|1280|
-|Imaging|1536|
-|Wearable|1792|
-|Toy|2048|
-|Health|2304|
-|Uncategorized|7936|
+ |Description|Value|
+ |:-------------|:-------:|
+ |Miscellaneous|0|
+ |Computer|256|
+ |Phone|512|
+ |LAN/Network Access Point|768|
+ |Audio/Video|1024|
+ |Peripheral|1280|
+ |Imaging|1536|
+ |Wearable|1792|
+ |Toy|2048|
+ |Health|2304|
+ |Uncategorized|7936|
-The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+ The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+ RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+
+## Configure Dynamic lock with Microsoft Intune
+
+To configure Dynamic lock using Microsoft Intune, follow these steps:
+
+1. Open the Microsoft Intune admin center and navigate to Devices > Windows > Configuration policies.
+1. Create a new policy:
+ - Platform: Windows 10 and later
+ - Profile type: Templates - Custom
+ - Select Create
+1. Configure the profile:
+ - Name: Provide a name for the profile.
+ - Description: (Optional) Add a description.
+1. Add OMA-URI settings:
+ - Enable Dynamic lock:
+ - Name: Enable Dynamic lock
+ - Description: (Optional) This setting enables Dynamic lock
+ - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
+ - Data type: Boolean
+ - Value: True
+ - Define the Dynamic lock signal rule:
+ - Name: Dynamic lock Signal Rule
+ - Description: (Optional) This setting configures Dynamic lock values
+ - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
+ - Data type: String
+ - Value: ``
+1. Assign the profile to the appropriate groups.
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3d2908e78a..613da4d993 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,7 +1,7 @@
---
title: Use Certificates to enable SSO for Microsoft Entra join devices
description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
-ms.date: 04/24/2024
+ms.date: 11/22/2024
ms.topic: how-to
---
@@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr
Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.
-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
-1. In the **Synchronization Service Manager**, select **Help** and then select **About**
-1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**.
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
-1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials.
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
-1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
> [!NOTE]
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
```
-1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**
+1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
#### Response
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 34a527cefe..2bf77557b9 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,8 +1,8 @@
---
-title: Windows security features licensing and edition requirements
+title: Windows Security Features Licensing And Edition Requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.topic: conceptual
-ms.date: 04/10/2024
+ms.topic: reference
+ms.date: 12/02/2024
appliesto:
- ✅ Windows 11
ms.author: paoloma
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 3e29796ff1..826ae7e556 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -2,7 +2,7 @@
title: BCD settings and BitLocker
description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Boot Configuration Data settings and BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
index 7fbff47e8c..5ed1607787 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -2,7 +2,7 @@
title: Configure BitLocker
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Configure BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
index 3eda5bed37..4e0d64f71a 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@@ -2,7 +2,7 @@
title: BitLocker countermeasures
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker countermeasures
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index 80b74ed970..131cf2f9c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -2,7 +2,7 @@
title: Protect cluster shared volumes and storage area networks with BitLocker
description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
appliesto:
- ✅ Windows Server 2025
- ✅ Windows Server 2022
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index b2642afed9..fcbcadf1b9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -3,7 +3,7 @@ metadata:
title: BitLocker FAQ
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
- ms.date: 06/18/2024
+ ms.date: 12/05/2024
title: BitLocker FAQ
summary: Learn more about BitLocker by reviewing the frequently asked questions.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 69d9822b91..2b1e13953b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -2,7 +2,7 @@
title: BitLocker overview
description: Learn about BitLocker practical applications and requirements.
ms.topic: overview
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
index 1e9c124e9c..687f2418cd 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -2,7 +2,7 @@
title: Install BitLocker on Windows Server
description: Learn how to install BitLocker on Windows Server.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
appliesto:
- ✅ Windows Server 2025
- ✅ Windows Server 2022
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
index 39be442f55..ff99a2de31 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -2,12 +2,12 @@
title: Network Unlock
description: Learn how BitLocker Network Unlock works and how to configure it.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# Network Unlock
-Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult for enterprises to roll out software patches to unattended desktops and remotely administered servers.
Network Unlock allows BitLocker-enabled systems that have a `TPM+PIN` and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the `TPM+StartupKey` at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
@@ -248,7 +248,7 @@ The following steps describe how to deploy the required group policy setting:
By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
-The configuration file, called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
+The configuration file called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word `ENABLED` is disallowed for subnet names.
@@ -299,6 +299,8 @@ To update the certificates used by Network Unlock, administrators need to import
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode
+- If client hardware is a Secure Core device, you may need to disable Secure Core functionality
+
- All required roles and services are installed and started
- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer
- Group policy for Network Unlock is enabled and linked to the appropriate domains
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
index 645cf45add..2a6e018234 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -2,7 +2,7 @@
title: BitLocker operations guide
description: Learn how to use different tools to manage and operate BitLocker.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker operations guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
index c54ad2e21e..3c563aa624 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@@ -2,7 +2,7 @@
title: BitLocker planning guide
description: Learn how to plan for a BitLocker deployment in your organization.
ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker planning guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
index aaadd7678e..842b2e94c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@@ -2,7 +2,7 @@
title: BitLocker preboot recovery screen
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
ms.topic: concept-article
-ms.date: 06/19/2024
+ms.date: 12/05/2024
---
# BitLocker preboot recovery screen
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index 808550018a..3db9407c4b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -2,7 +2,7 @@
title: BitLocker recovery overview
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
---
# BitLocker recovery overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index a3cded5a34..421165a49b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
-ms.date: 07/18/2024
+ms.date: 12/05/2024
---
# BitLocker recovery process
@@ -26,6 +26,9 @@ A recovery key can't be stored in any of the following locations:
- The root directory of a nonremovable drive
- An encrypted volume
+> [!WARNING]
+> A recovery key is sensitive information that allows users to unlock an encrypted drive and perform administrative tasks on the drive. For enhanced security, it's recommended to enable self-service in trusted environments only, or rely on helpdesk recovery.
+
### Self-recovery with recovery password
If you have access to the recovery key, enter the 48-digits in the preboot recovery screen.
diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md
index 7781de30a9..ef44453923 100644
--- a/windows/security/operating-system-security/data-protection/configure-s-mime.md
+++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md
@@ -1,8 +1,8 @@
---
-title: Configure S/MIME for Windows
+title: Configure S/MIME For Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/02/2024
---
@@ -68,4 +68,4 @@ When you receive a signed email, the app provides a feature to install correspon
1. Select the digital signature icon in the reading pane
1. Select **Install.**
- :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
+ :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 34c2ed5f4a..c39add4606 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -1,42 +1,42 @@
---
-title: PDE settings and configuration
-description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+title: Personal Data Encryption settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
ms.date: 09/24/2024
---
-# PDE settings and configuration
+# Personal Data Encryption settings and configuration
-This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
> [!NOTE]
-> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
>
-> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
-## PDE settings
+## Personal Data Encryption settings
-The following table lists the required settings to enable PDE.
+The following table lists the required settings to enable Personal Data Encryption.
| Setting name | Description |
|-|-|
-|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+|Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
-## PDE hardening recommendations
+## Personal Data Encryption hardening recommendations
-The following table lists the recommended settings to improve PDE's security.
+The following table lists the recommended settings to improve Personal Data Encryption's security.
| Setting name | Description |
|-|-|
-|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
-|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
-|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by Personal Data Encryption to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
-## Configure PDE with Microsoft Intune
+## Configure Personal Data Encryption with Microsoft Intune
-If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.
### Disk encryption policy
@@ -77,9 +77,9 @@ Content-Type: application/json
{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
```
-## Configure PDE with CSP
+## Configure Personal Data Encryption with CSP
-Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Personal Data Encryption CSP][CSP-2].
|OMA-URI|Format|Value|
|-|-|-|
@@ -91,13 +91,13 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|``|
-## Disable PDE
+## Disable Personal Data Encryption
-Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
-### Disable PDE with a disk encryption policy
+### Disable Personal Data Encryption with a disk encryption policy
-To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+To disable Personal Data Encryption devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
- **Platform** > **Windows**
- **Profile** > **Personal Data Encryption**
@@ -106,7 +106,7 @@ Provide a name, and select **Next**. In the **Configuration settings** page, sel
Assign the policy to a group that contains as members the devices or users that you want to configure.
-### Disable PDE with a settings catalog policy in Intune
+### Disable Personal Data Encryption with a settings catalog policy in Intune
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
@@ -116,24 +116,24 @@ Assign the policy to a group that contains as members the devices or users that
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
-### Disable PDE with CSP
+### Disable Personal Data Encryption with CSP
-You can disable PDE with CSP using the following setting:
+You can disable Personal Data Encryption with CSP using the following setting:
|OMA-URI|Format|Value|
|-|-|-|
|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
-## Decrypt PDE-encrypted content
+## Decrypt encrypted content
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
1. Open the properties of the file
1. Under the **General** tab, select **Advanced...**
1. Uncheck the option **Encrypt contents to secure data**
1. Select **OK**, and then **OK** again
-PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+Protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on multiple of devices
@@ -153,11 +153,11 @@ To decrypt files on a device using `cipher.exe`:
```
> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
## Next steps
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Review the [Personal Data Encryption FAQ](faq.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 8aeed21090..2be94a9a24 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -1,51 +1,51 @@
### YamlMime:FAQ
metadata:
- title: Frequently asked questions for Personal Data Encryption (PDE)
- description: Answers to common questions regarding Personal Data Encryption (PDE).
+ title: Frequently asked questions for Personal Data Encryption
+ description: Answers to common questions regarding Personal Data Encryption.
ms.topic: faq
ms.date: 09/24/2024
-title: Frequently asked questions for Personal Data Encryption (PDE)
+title: Frequently asked questions for Personal Data Encryption
summary: |
- Here are some answers to common questions regarding Personal Data Encryption (PDE)
+ Here are some answers to common questions regarding Personal Data Encryption
sections:
- name: General
questions:
- - question: Can PDE encrypt entire volumes or drives?
+ - question: Can Personal Data Encryption encrypt entire volumes or drives?
answer: |
- No, PDE only encrypts specified files and content.
- - question: How are files and content protected by PDE selected?
+ No, Personal Data Encryption only encrypts specified files and content.
+ - question: How are files and content protected by Personal Data Encryption selected?
answer: |
- [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- - question: Can users manually encrypt and decrypt files with PDE?
+ [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using Personal Data Encryption.
+ - question: Can users manually encrypt and decrypt files with Personal Data Encryption?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt encrypted content](configure.md#decrypt-encrypted-content).
+ - question: Can Personal Data Encryption protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No, it's not supported to access PDE-protected content over RDP.
- - question: Can PDE protected content be accessed via a network share?
+ No, it's not supported to access protected content over RDP.
+ - question: Can Personal Data Encryption protected content be accessed via a network share?
answer: |
- No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: What encryption method and strength does PDE use?
+ No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ - question: What encryption method and strength does Personal Data Encryption use?
answer: |
- PDE uses AES-CBC with a 256-bit key to encrypt content.
+ Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
- - name: PDE and other Windows features
+ - name: Personal Data Encryption and other Windows features
questions:
- - question: What is the relation between Windows Hello for Business and PDE?
+ - question: What is the relation between Windows Hello for Business and Personal Data Encryption?
answer: |
- During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
- - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
+ During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
answer: |
- No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- - question: Can a file be protected with both PDE and EFS at the same time?
+ No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ - question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
answer: |
- No, PDE and EFS are mutually exclusive.
- - question: Is PDE a replacement for BitLocker?
+ No, Personal Data Encryption and EFS are mutually exclusive.
+ - question: Is Personal Data Encryption a replacement for BitLocker?
answer: |
No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
- No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+ No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 7e28595993..2f0191609b 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,104 +1,104 @@
---
-title: Personal Data Encryption (PDE)
+title: Personal Data Encryption
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
ms.date: 09/24/2024
---
-# Personal Data Encryption (PDE)
+# Personal Data Encryption
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
+Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
-PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
The use of Windows Hello for Business offers the following advantages:
- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
-- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
-PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
## Prerequisites
-To use PDE, the following prerequisites must be met:
+To use Personal Data Encryption, the following prerequisites must be met:
- Windows 11, version 22H2 and later
-- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
+- The devices must be [Microsoft Entra joined][ENTRA-1] or [Microsoft Entra hybrid joined][ENTRA-2]. Domain-joined devices aren't supported
- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
> [!IMPORTANT]
-> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
+> If you sign in with a password or a [FIDO2 security key][ENTRA-3], you can't access Personal Data Encryption protected content.
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
-## PDE protection levels
+## Personal Data Encryption protection levels
-PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
-| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
-| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
-| PDE protected data is accessible after user signs out of Windows | No | No |
-| PDE protected data is accessible when device is shut down | No | No |
-| PDE protected data is accessible via UNC paths | No | No |
-| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
-| PDE protected data is accessible via Remote Desktop session | No | No |
-| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
+| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| Protected data is accessible after user signs out of Windows | No | No |
+| Protected data is accessible when device is shut down | No | No |
+| Protected data is accessible via UNC paths | No | No |
+| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| Protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
-## PDE protected content accessibility
+## Personal Data Encryption protected content accessibility
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
+When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
-Scenarios where a user will be denied access to PDE protected content include:
+Scenarios where a user will be denied access to Personal Data Encryption protected content include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
- If protected via level 2 protection, when the device is locked
- When trying to access content on the device remotely. For example, UNC network paths
- Remote Desktop sessions
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
-## Differences between PDE and BitLocker
+## Differences between Personal Data Encryption and BitLocker
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
+Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
-| Item | PDE | BitLocker |
+| Item | Personal Data Encryption | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
| Protected content | All files in protected folders | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
-## Differences between PDE and EFS
+## Differences between Personal Data Encryption and EFS
-The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
+The main difference between protecting files with Personal Data Encryption instead of EFS is the method they use to protect the file. Personal Data Encryption uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
-To see if a file is protected with PDE or with EFS:
+To see if a file is protected with Personal Data Encryption or with EFS:
1. Open the properties of the file
1. Under the **General** tab, select **Advanced...**
1. In the **Advanced Attributes** windows, select **Details**
-For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
-## Recommendations for using PDE
+## Recommendations for using Personal Data Encryption
-The following are recommendations for using PDE:
+The following are recommendations for using Personal Data Encryption:
-- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
-## Windows out of box applications that support PDE
+## Windows out of box applications that support Personal Data Encryption
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
+Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
| App name | Details |
|-|-|
@@ -106,10 +106,11 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
## Next steps
-- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [Personal Data Encryption settings and configuration](configure.md)
+- Review the [Personal Data Encryption FAQ](faq.yml)
-[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
-[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+[ENTRA-1]: /entra/identity/devices/concept-directory-join
+[ENTRA-2]: /entra/identity/devices/concept-hybrid-join
+[ENTRA-3]: /entra/identity/authentication/howto-authentication-passwordless-security-key-windows#sign-in-with-fido2-security-key
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index f526600bd4..ac20c878c3 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,7 +1,7 @@
items:
-- name: PDE overview
+- name: Overview
href: index.md
-- name: Configure PDE
+- name: Configure Personal Data Encryption
href: configure.md
-- name: PDE frequently asked questions (FAQ)
+- name: Frequently asked questions (FAQ)
href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index 81f918fba2..ee4a57ab27 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -3,9 +3,7 @@ items:
href: bitlocker/toc.yml
- name: Encrypted hard drives
href: encrypted-hard-drive.md
-- name: Personal data encryption (PDE)
+- name: Personal data encryption
href: personal-data-encryption/toc.yml
- name: Email Encryption (S/MIME)
href: configure-s-mime.md
-- name: Windows Information Protection (WIP)
- href: /previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
deleted file mode 100644
index e8c0197c75..0000000000
--- a/windows/security/operating-system-security/index.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.date: 07/10/2024
-ms.topic: overview
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
-
-[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)]
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index b1b37ca008..85561cf109 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on
### Control Windows Firewall behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
-The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
+The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
```cmd
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
-netsh advfirewall set allprofiles settings inboundusernotification enable
+netsh advfirewall set allprofiles settings inboundusernotification disable
netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
@@ -53,19 +53,14 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
### Disable Windows Firewall
-Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-Disabling Windows Firewall can also cause problems, including:
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
-Microsoft recommends disabling Windows Firewall only when installing a non-Microsoft firewall, and resetting Windows Firewall back to defaults when the non-Microsoft software is disabled or removed.
-If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-Stopping the Windows Firewall service isn't supported by Microsoft.
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
-You shouldn't disable the firewall yourself for this purpose.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
@@ -569,3 +564,6 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec
```
---
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
index b8e9d793fc..f6540ef8df 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -11,7 +11,7 @@ This article contains examples how to configure Windows Firewall rules using the
## Access the Windows Firewall with Advanced Security console
-If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
+If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**. Pay attention to the [Group policy processing considerations][GPPC] when using Group Policy.
If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select START, type `wf.msc`, and press ENTER.
@@ -176,3 +176,5 @@ Using the two rules configured as described in this topic helps to protect your
1. On the **Action** page, select **Allow the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+[GPPC]: /windows/security/operating-system-security/network-security/windows-firewall/tools#group-policy-processing-considerations
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
index 8952b535cf..4de85b91d4 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/index.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -73,6 +73,18 @@ The *public network* profile is designed with higher security in mind for public
> [!TIP]
> Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*.
+## Disable Windows Firewall
+
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
+
+- Start menu can stop working
+- Modern applications can fail to install or update
+- Activation of Windows via phone fails
+- Application or OS incompatibilities that depend on Windows Firewall
+
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running. See [Manage Windows Firewall with the command line][MFWC] for detailed steps.
+
## Next steps
> [!div class="nextstepaction"]
@@ -89,3 +101,6 @@ To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (WI
[FHUB]: feedback-hub:?tabid=2&newFeedback=true
[NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2
[CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
index 3daf29314e..64b6580098 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
@@ -30,11 +30,13 @@ When first installed, network applications and services issue a *listen call* sp
:::row:::
:::column span="2":::
- If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
-
- - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
- - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created
+ If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
+
+- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
+- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected
+To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console
+
:::column-end:::
:::column span="2":::
:::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::
diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
index 5cff1aedaa..0d9d62c33e 100644
--- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
+++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
@@ -3,7 +3,7 @@ title: Cryptography and Certificate Management
description: Get an overview of cryptography and certificate management in Windows
ms.topic: conceptual
ms.date: 07/10/2024
-ms.reviewer: skhadeer, raverma
+ms.reviewer: skhadeer, aathipsa
---
# Cryptography and Certificate Management
@@ -17,13 +17,19 @@ Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 c
Windows cryptographic modules provide low-level primitives such as:
- Random number generators (RNG)
-- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
-- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, SHA-512, and SHA-3*)
- Signing and verification (padding support for OAEP, PSS, PKCS1)
- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+*With this release we added support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, and KMAC). These are the latest standardized hash functions by the National Institute of Standards and Technology (NIST) and can be leveraged through the Windows CNG library. Below is a list of the supported SHA-3 functions:
+
+Supported SHA-3 hash functions: SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
+Supported SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
+Supported SHA-3 derived algorithms: extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
+
## Certificate management
Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 657b99e5df..0309711be5 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -13,7 +13,7 @@ items:
href: ../../threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: ../../threat-protection/auditing/security-auditing-overview.md
-- name: Assigned Access 🔗
+- name: Kiosks and restricted user experiences 🔗
href: /windows/configuration/assigned-access
- name: Windows Security settings
href: windows-defender-security-center/windows-defender-security-center.md
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index 1e8df2650f..5c37753d30 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,13 +1,11 @@
items:
-- name: Overview
- href: index.md
- name: System security
href: system-security/toc.yml
- name: Encryption and data protection
href: data-protection/toc.yml
-- name: Device management
- href: device-management/toc.yml
- name: Network security
href: network-security/toc.yml
- name: Virus and threat protection
- href: virus-and-threat-protection/toc.yml
\ No newline at end of file
+ href: virus-and-threat-protection/toc.yml
+- name: Device management
+ href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
index 33099035c3..98c1522666 100644
--- a/windows/security/security-foundations/certification/toc.yml
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -9,6 +9,8 @@ items:
href: validations/fips-140-windows10.md
- name: Previous Windows releases
href: validations/fips-140-windows-previous.md
+ - name: Windows Server 2022
+ href: validations/fips-140-windows-server-2022.md
- name: Windows Server 2019
href: validations/fips-140-windows-server-2019.md
- name: Windows Server 2016
@@ -32,4 +34,4 @@ items:
- name: Windows Server semi-annual releases
href: validations/cc-windows-server-semi-annual.md
- name: Previous Windows Server releases
- href: validations/cc-windows-server-previous.md
\ No newline at end of file
+ href: validations/cc-windows-server-previous.md
diff --git a/windows/security/security-foundations/certification/validations/cc-windows-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-previous.md
index 8d5cd8c275..d648de3a05 100644
--- a/windows/security/security-foundations/certification/validations/cc-windows-previous.md
+++ b/windows/security/security-foundations/certification/validations/cc-windows-previous.md
@@ -30,14 +30,14 @@ The following tables list the completed Common Criteria certifications for Windo
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] |
+|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] |
## Windows Vista
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
-|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] |
-|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] |
+|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] |
+|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] |
---
@@ -65,9 +65,6 @@ The following tables list the completed Common Criteria certifications for Windo
[admin-guide-january-2015-rt]: https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
-[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
-[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
-[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md
deleted file mode 100644
index 0275431b52..0000000000
--- a/windows/security/security-foundations/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows security foundations
-description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: overview
-ms.date: 04/10/2024
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows security foundations
-
-Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today's threat environment.
-
-Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
-
-Use the links in the following table to learn more about the security foundations:
-
-[!INCLUDE [security-foundations](../includes/sections/security-foundations.md)]
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 7fc4c3adff..e8439d170b 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -1,8 +1,4 @@
items:
-- name: Overview
- href: index.md
-- name: Zero Trust and Windows
- href: zero-trust-windows-device-health.md
- name: Offensive research
items:
- name: Microsoft Security Development Lifecycle 🔗
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
deleted file mode 100644
index cacb76f47d..0000000000
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Zero Trust and Windows device health
-description: Describes the process of Windows device health attestation
-ms.topic: concept-article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.date: 09/06/2024
----
-
-# Zero Trust and Windows device health
-
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
-
-The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
-
-- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies
-- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity
-- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses
-
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
-
-Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
-
-## Device health attestation on Windows
-
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
-
-- If the device can be trusted
-- If the operating system booted correctly
-- If the OS has the right set of security features enabled
-
-These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](../operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
-
-A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
-
-1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event
-1. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service
-1. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation)
-1. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device
-1. The attestation service does the following tasks:
-
- - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log
- - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
- - Verify that the security features are in the expected states
-
-1. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service
-1. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules
-1. Conditional access, along with device-compliance state then decides to allow or deny access
-
-## Other Resources
-
-Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 5b5fb3e06e..327b1336ab 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -56,7 +56,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Windows Defender SmartScreen** helps prevent malicious applications from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard** helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning** helps prevent man-in-the-middle attacks that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
-| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol) |
| **Microsoft Defender Antivirus**, which helps keep devices free of viruses and other malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts** helps prevent fonts from being used in elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections** help prevent malware from using memory manipulation techniques such as buffer overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note: A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
@@ -88,14 +88,14 @@ For more information, see [Microsoft Defender SmartScreen overview](/windows/sec
Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve anti-malware:
+- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
+
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
-- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
+- **Rich local context** improves how malware is identified. Windows 11 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This up-to-date status is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
-- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
-
- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class anti-malware solution.
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 6fbbd83941..bb89fd8728 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,4 @@
items:
-- name: Introduction to Windows security
- href: introduction.md
- name: Windows 11 security book 🔗
href: book/index.md
- name: Security features licensing and edition requirements
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 7c53798b03..87ff332844 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -34,7 +34,7 @@ Customers concerned about NTLM usage in their environments are encouraged to uti
In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their `AcquireCredentialsHandle` request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration. For more information, see [Kerberos authentication troubleshooting guidance](/troubleshoot/windows-server/windows-security/kerberos-authentication-troubleshooting-guidance).
-Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm).
+Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm).
## WordPad
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 386b0a681f..568b781fc7 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 11/14/2024
+ms.date: 12/12/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -47,11 +47,12 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
+| Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |
| Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired:
Playback of protected content in the legacy Windows Media Player on Windows 7
Playback of protected content in a Silverlight client and Windows 8 clients
In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
| September 2024 |
| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
-| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | June 2024 |
+| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
@@ -75,7 +76,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
-| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
+| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Windows Information Protection is removed starting in Windows 11, version 24H2. | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.** Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected. **[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 |
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
index de53336b4b..306de5a2a9 100644
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 11/01/2023
+ms.date: 01/21/2025
ms.collection:
- highpri
- tier2
@@ -43,15 +43,17 @@ The following are frequently asked questions about the ESU program for Windows 1
### How much does ESU cost?
-Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
### Is there a minimum license purchase requirement for Windows 10 ESU?
-There are no minimum license purchase requirements for Windows 10 ESU.
+The minimum license purchase requirements for Windows 10 ESU is one license.
### Can ESUs be purchased for a specific duration?
-Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+The Extended Security Update Program for Windows 10 must be purchased by year. Customers can't buy partial periods, for instance, only six months. Year One starts in November 2025. If you decide to purchase the program in Year Two, you'll have to pay for Year One too, as ESUs are cumulative.
+
### When will the ESU offer be available for licensing?
diff --git a/windows/whats-new/ltsc/whats-new-windows-11-2024.md b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
index 3fbb4a3529..2e098597d2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-11-2024.md
+++ b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
@@ -18,7 +18,7 @@ appliesto:
This article lists some of the new and updated features and content that is of interest to IT Pros for Windows 11 Enterprise long-term servicing channel (LTSC) 2024, compared to Windows 10 Enterprise LTSC 2021. For a brief description of the LTSC servicing channel and associated support, see [Windows Enterprise LTSC](overview.md).
-Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
+Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
The Windows 11 Enterprise LTSC 2024 release includes the cumulative enhancements provided in Windows 11 versions 21H2, 22H2, 23H2, and 24H2. Details about these enhancements are provided below.
@@ -37,7 +37,7 @@ Windows 11 Enterprise LTSC 2024 was first available on October 1, 2024. Features
| Feature [Release] | Description |
| --- | --- |
-| **Windows accessibility** [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see: • [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) • [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554) • [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
+| **Windows accessibility** [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see: * [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) * [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554) * [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
| **Braille displays** [23H2][23H2] | Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros). |
| **Narrator improvements** [23H2][23H2] | Scripting functionality was added to Narrator. Narrator includes more natural voices. For more information, see [Complete guide to Narrator](https://support.microsoft.com/topic/e4397a0d-ef4f-b386-d8ae-c172f109bdb1). |
| **Bluetooth ® LE audio support for assistive devices** [24H2][24H2] | Windows has taken a significant step forward in accessibility by supporting the use of assistive hearing devices equipped with the latest Bluetooth ® Low Energy Audio technology. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647). |
@@ -95,15 +95,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| --- | --- |
| **Windows Security app** [21H2][21H2] | Windows Security app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). |
| **Security baselines** [21H2][21H2] | Security baselines include security settings that are already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). |
-| **Microsoft Defender Antivirus** [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see: • [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) • [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) • [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
+| **Microsoft Defender Antivirus** [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see: * [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) * [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) * [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
| **Application Security** [21H2][21H2] | The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see [Windows application security](/windows/security/apps). |
| **Microsoft Pluton** [22H2][22H2] | Pluton, designed by Microsoft and built by silicon partners, is a secure crypto-processor built into the CPU. Pluton provides security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is harder to be removed even if an attacker installed malware or has complete physical possession. For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor). |
-| **Enhanced Phishing Protection** [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see: • [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) • [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
+| **Enhanced Phishing Protection** [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see: * [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) * [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
| **Smart App Control** [22H2][22H2] | Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. Smart App Control helps block unwanted apps that affect performance, display unexpected ads, offer extra software you didn't want, and other things you don't expect. For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control). |
| **Credential Guard** [22H2][22H2] | Credential Guard, enabled by default, uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket. For more information, see [Configure Credential Guard](/windows/security/identity-protection/credential-guard/configure).|
| **Malicious and vulnerable driver blocking** [22H2][22H2] | The vulnerable driver blocklist is automatically enabled on devices when Smart App Control is enabled and for clean installs of Windows. For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).|
| **Security hardening and threat protection** [22H2][22H2] | Enhanced support with Local Security Authority (LSA) to prevent code injection that could compromise credentials. For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json). |
-| **Personal Data Encryption (PDE)** [22H2][22H2] | [Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
+| **Personal Data Encryption** [22H2][22H2] | [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
| **Passkeys in Windows** [23H2][23H2] | Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys). |
| **Windows passwordless experience** [23H2][23H2] | Windows passwordless experience is a security policy that promotes a user experience without passwords on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices. When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/). |
| **Web sign-in for Windows** [23H2][23H2] | You can enable a web-based sign-in experience on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices, unlocking new sign-in options, and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in). |
@@ -112,10 +112,10 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| **App Control for Business** [24H2][24H2] | Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see [Application Control for Windows](/windows/security/application-security/application-control/app-control-for-business/appcontrol).|
| **Local Security Authority (LSA) protection enablement** [24H2][24H2]| An audit occurs for incompatibilities with [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, [LSA protection logs](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load) whether programs are blocked from loading into LSA. |
| **Rust in the Windows kernel** [24H2][24H2] | There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel. |
-| **SHA-3 support** [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
+| **SHA-3 support** [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
| **Windows Local Admin Password Solution (LAPS)** [24H2][24H2] | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see [What is Windows LAPS?](/windows-server/identity/laps/laps-overview)|
-| **Windows LAPS** Automatic account management [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to: • Automatically create the managed local account • Configure name of account • Enable or disable the account • Randomize the name of the account |
-| **Windows LAPS** Policy improvements [24H2][24H2]| • Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy • Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase • Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused. • Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
+| **Windows LAPS** Automatic account management [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to: * Automatically create the managed local account * Configure name of account * Enable or disable the account * Randomize the name of the account |
+| **Windows LAPS** Policy improvements [24H2][24H2]| * Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy * Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase * Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused. * Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
| **Windows LAPS** Image rollback detection [24H2][24H2] | Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). |
| **Windows protected print mode** [24H2][24H2] | Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with [Mopria certified printers](https://mopria.org/certified-products). For more information, see [What is Windows protected print mode (WPP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) and [Windows Insider WPP announcement](https://blogs.windows.com/windows-insider/2023/12/13/announcing-windows-11-insider-preview-build-26016-canary-channel/). |
| **SMB signing requirement changes** [24H2][24H2] | [SMB signing is now required](/windows-server/storage/file-server/smb-signing) by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see [https://aka.ms/SMBSigningOBD](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704). |
@@ -123,8 +123,8 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| **SMB signing and encryption auditing** [24H2][24H2] | Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. |
| **SMB alternative client and server ports** [24H2][24H2] | The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using [alternative network ports](/windows-server/storage/file-server/smb-ports) to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in [Windows Server Insider build 26040](https://techcommunity.microsoft.com/t5/windows-server-insiders/announcing-windows-server-preview-build-26040/m-p/4040858), the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see [https://aka.ms/SMBAlternativePorts](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509). |
| **SMB NTLM blocking exception list** [24H2][24H2] |The SMB client now supports [blocking NTLM](/windows-server/storage/file-server/smb-ntlm-blocking) for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see [https://aka.ms/SmbNtlmBlock](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206). |
-| **SMB dialect management** [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
-| **SMB over QUIC client access control** [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: • [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. • [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell • [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
+| **SMB dialect management** [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
+| **SMB over QUIC client access control** [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: * [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. * [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell * [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
| **SMB firewall rule changes** [24H2][24H2] | The Windows Firewall [default behavior has changed](/windows-server/storage/file-server/smb-secure-traffic#updated-firewall-rules-preview). Previously, creating an SMB share automatically configured the firewall to enable the rules in the **File and Printer Sharing** group for the given firewall profiles. Now, Windows automatically configures the new **File and Printer Sharing (Restrictive)** group, which no longer contains inbound NetBIOS ports 137-139. This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server **File Server** role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the **File and Printer Sharing** group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see [https://aka.ms/SMBfirewall](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-firewall-rule-changes-in-windows-insider/ba-p/3974496). For more information about SMB network security, see [Secure SMB Traffic in Windows Server](/windows-server/storage/file-server/smb-secure-traffic). |
## Servicing
@@ -132,7 +132,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
| Feature [Release] | Description |
| --- | --- |
-| **Windows Updates and Delivery optimization** [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see: • [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization) • [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11) • [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
+| **Windows Updates and Delivery optimization** [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see: * [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization) * [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11) * [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
| **Control Windows Update notifications** [22H2][22H2] | You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).|
| **Organization name in update notifications** |The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name). |
| **Checkpoint cumulative updates** [24H2][24H2] | Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552). |
@@ -152,7 +152,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
## Features Removed
-Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
+Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
| Feature | Description |
|---------|-------------|
@@ -170,5 +170,5 @@ Each version of Windows client adds new features and functionality. Occasionally
[21H2]: ..\windows-11-overview.md
[22H2]: ..\whats-new-windows-11-version-22H2.md
-[23H2]: ..\whats-new-windows-11-version-23h2.md
+[23H2]: ..\whats-new-windows-11-version-23h2.md
[24H2]: ..\whats-new-windows-11-version-24H2.md
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index 461b15d644..991c787969 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: reference
ms.subservice: itpro-fundamentals
-ms.date: 08/23/2024
+ms.date: 12/09/2024
ms.collection:
- highpri
- tier1
@@ -38,6 +38,8 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Support removed |
| ----------- | --------------------- | ------ |
+| NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 |
+| Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 |
| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 |
| WordPad | WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. If you're a developer and need information about the affected binaries, see [Resources for deprecated features](deprecated-features-resources.md#wordpad). | October 1, 2024 |
| Alljoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures. AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | October 1, 2024 |
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index a76a1b6abb..3b1f47426d 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -70,9 +70,9 @@ For more information, see [Configuring Additional LSA Protection](/windows-serve
## Personal Data Encryption
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal Data Encryption is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. Personal Data Encryption differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With Personal Data Encryption, users only need to enter one set of credentials via Windows Hello for Business.
For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md
index 5c492a24d8..a5f7acda5a 100644
--- a/windows/whats-new/whats-new-windows-11-version-24h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-24h2.md
@@ -18,7 +18,7 @@ appliesto:
# What's new in Windows 11, version 24H2
-Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
+Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
>**Looking for consumer information?** See [Windows 11 2024 update](https://support.microsoft.com/topic/93c5c27c-f96e-43c2-a08e-5812d92f220d#windowsupdate=26100).
@@ -42,21 +42,21 @@ To learn more about the status of the update rollout, known issues, and new info
There aren't any features under temporary enterprise control between Windows 11, version 23H2 and Windows 11, version 24H2. For a list of features that were under temporary enterprise control between Windows 11, version 22H2 and Windows 11, version 23H2, see, [Windows 11 features behind temporary enterprise feature control](temporary-enterprise-feature-control.md).
## Checkpoint cumulative updates
-
+
Microsoft is introducing checkpoint cumulative updates, a new servicing model that enables devices running Windows 11, version 24H2 or later to save time, bandwidth and hard drive space when getting features and security enhancements via the latest cumulative update. Previously, the cumulative updates contained all changes to the binaries since the last release to manufacturing (RTM) version. The size of the cumulative updates could grow large over time since RTM was used as the baseline for each update.
With checkpoint cumulative updates, the update file level differentials are based on a previous cumulative update instead of the RTM release. Cumulative updates that serve as a checkpoint will be released periodically. Using a checkpoint rather than RTM means the subsequent update packages are smaller, which makes downloads and installations faster. Using a checkpoint also means that in order for a device to install the latest cumulative update, the installation of a prerequisite cumulative update might be required. For more information about checkpoint cumulative updates, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552).
## Features exclusive to Copilot+ PCs in 24H2
-Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
+Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
- Live Captions allow you to translate audio and video content into English subtitles from 44 languages. For more information, see [Use live captions to better understand audio](https://support.microsoft.com/topic/b52da59c-14b8-4031-aeeb-f6a47e6055df).
- Windows Studio Effects is the collective name of AI-powered video call and audio effects that are available on Copilot+ PCs and select Windows 11 devices with compatible NPUs. Windows Studio Effects automatically improves lighting and cancels noises during video calls. For more information, see [Windows Studio Effects](https://support.microsoft.com/topic/273c1fa8-2b3f-41b1-a587-7cc7a24b62d8).
@@ -80,7 +80,7 @@ The following changes were made for SMB signing and encryption:
- **SMB client encryption**: SMB now supports [requiring encryption](/windows-server/storage/file-server/configure-smb-client-require-encryption) on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see [https://aka.ms/SmbClientEncrypt](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-client-encryption-mandate-now-supported-in-windows-insider/ba-p/3964037).
-- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
+- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
#### SMB alternative client and server ports
@@ -104,7 +104,7 @@ For more information about this change, see [https://aka.ms/SmbDialectManage](ht
[SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature.
-Administrators now have more options for SMB over QUIC such as:
+Administrators now have more options for SMB over QUIC such as:
- [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
- [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell
@@ -124,7 +124,7 @@ For more information about this change, see [https://aka.ms/SMBfirewall](https:/
[LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and by preventing dumping of process memory. An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, LSA protection records whether programs are blocked from loading into LSA. If you would like to check if something was blocked, review the [logging](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load).
-
+
### Remote Mailslot protocol disabled by default
[Remote Mailslot protocol](/openspecs/windows_protocols/ms-mail/47ac910f-1dec-4791-8486-9b3e8fd542da) was [deprecated](deprecated-features.md#deprecated-features) in November 2023 and is now disabled by default starting in Windows 11, version 24H2. For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots).
@@ -144,18 +144,18 @@ LAPS has the following policy improvements:
- Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the zero and the letter O aren't used in the password since the characters can be confused.
- Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
-Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
+Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
### Rust in the Windows kernel
There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel.
-### Personal Data Encryption (PDE) for folders
+### Personal Data Encryption for folders
-PDE for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. PDE for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
-PDE for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
+Personal Data Encryption for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. Personal Data Encryption for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
+Personal Data Encryption for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
-For more information about PDE, see [PDE overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
+For more information about Personal Data Encryption, see [Personal Data Encryption overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
### Windows protected print mode
@@ -184,7 +184,7 @@ Support for Wi-Fi 7 was added for consumer access points. Wi-Fi 7, also known a
### Bluetooth ® LE audio support for assistive devices
-Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
+Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
### Windows location improvements
@@ -213,7 +213,7 @@ In addition to the monthly cumulative update, optional updates are available to
### Remote Desktop Connection improvements
Remote Desktop Connection has the following improvements:
-- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
+- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
- Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%
- Improvements to the connection bar design
@@ -223,11 +223,11 @@ Remote Desktop Connection has the following improvements:
- **File Explorer**: The following changes were made to File Explorer context menu:
- Support for creating 7-zip and TAR archives
- - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
+ - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
- Labels were added to the context menu icons for actions like copy, paste, delete, and rename
- **OOBE improvement**: when you need to connect to a network and there's no Wi-Fi drivers, you're given an *Install drivers* option to install drivers that are already downloaded
- **Registry Editor**: The Registry Editor supports limiting a search to the currently selected key and its descendants
-- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
+- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
### Developer APIs
@@ -242,5 +242,6 @@ The following developer APIs were added or updated:
The following [deprecated features](deprecated-features.md) are [removed](removed-features.md) in Windows 11, version 24H2:
+- **NTLMv1**: NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025.
- **WordPad**: WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025.
- **Alljoyn**: Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired.
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 40e15cb0a2..c50c610a28 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -1,5 +1,5 @@
---
-title: Windows commercial licensing overview
+title: Windows Commercial Licensing Overview
description: Learn about products and use rights available through Windows commercial licensing.
ms.subservice: itpro-security
author: paolomatarazzo
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- tier2
ms.topic: overview
-ms.date: 02/29/2024
+ms.date: 12/02/2024
appliesto:
- ✅ Windows 11
ms.service: windows-client
@@ -143,7 +143,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e
|**[Credential Guard][WIN-1]**|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
-|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Personal Data Encryption][WIN-3]**|❌|Yes|
|**[Direct Access][WINS-1]**|Yes|Yes|
|**[Always On VPN][WINS-2]**|Yes|Yes|
|**[Windows Experience customization][WIN-4]**|❌|Yes|