diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 55a3527bd5..0c163a6d0b 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -41,7 +41,7 @@ This policy setting allows you to configure scans for malicious software and unw > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -110,7 +110,7 @@ This policy setting allows you to configure behavior monitoring. > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -192,7 +192,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -461,7 +461,7 @@ Allows or disallows Windows Defender Intrusion Prevention functionality. > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -516,7 +516,7 @@ This policy setting allows you to configure scanning for all downloaded files an > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -585,7 +585,7 @@ This policy setting allows you to configure monitoring for file and program acti > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -650,7 +650,7 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -713,12 +713,12 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. -This policy setting allows you to configure scheduled scans and on-demand (manually initiated) scans for files that are accessed over the network. It is recommended to enable this setting. +This policy setting allows you to configure scheduled scans and on-demand (manually initiated) scans for files that are accessed over the network. It's recommended to enable this setting. >[!NOTE] -> Real-time protection (on-access) scanning is not impacted by this policy. +> Real-time protection (on-access) scanning isn't impacted by this policy. -- If you enable this setting or do not configure this setting, network files will be scanned. -- If you disable this setting, network files will not be scanned. +- If you enable this setting or don't configure this setting, network files will be scanned. +- If you disable this setting, network files won't be scanned. @@ -783,7 +783,7 @@ Allows or disallows Windows Defender Script Scanning functionality. > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -1549,7 +1549,7 @@ This policy setting defines the number of days items should be kept in the Quara This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that's initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -- If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. - If you enable this setting, catch-up scans for scheduled full scans will be disabled. @@ -1619,7 +1619,7 @@ This policy setting allows you to configure catch-up scans for scheduled full sc This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that's initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -- If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there's no scheduled scan configured, there will be no catch-up scan run. - If you enable this setting, catch-up scans for scheduled quick scans will be disabled. @@ -1814,7 +1814,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul - If you enable this setting, low CPU priority will be used during scheduled scans. -- If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans. +- If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans. @@ -2069,7 +2069,7 @@ Allows an administrator to specify a list of directory paths to ignore during a Allows an administrator to specify a list of files opened by processes to ignore during a scan. > [!IMPORTANT] -> The process itself isn't excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. +> The process itself isn't excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example.exe|C:\Example1.exe. @@ -2164,7 +2164,7 @@ Same as Disabled. | Value | Description | |:--|:--| | 0 (Default) | PUA Protection off. Windows Defender won't protect against potentially unwanted applications. | -| 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. | +| 1 | PUA Protection on. Detected items are blocked. They'll show in history along with other threats. | | 2 | Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would've taken action against by searching for events created by Windows Defender in the Event Viewer. | @@ -2204,7 +2204,7 @@ Same as Disabled. -This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It's recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. +This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It's recommended for use on servers where there's a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. @@ -2868,7 +2868,9 @@ Valid remediation action values are: > [!NOTE] -> Changes to this setting are not applied when [tamper protection][TAMPER-1] is enabled. +> +> - **Ignore** is the same as **Allow** in [Microsoft Defender for Endpoint Security Settings Management](/defender-endpoint/mde-security-settings-management), [Microsoft Intune](/intune/intune-service/protect/endpoint-security-antivirus-policy), and Defender Powershell module: [Set-MpPreference](/powershell/module/defender/set-mppreference). +> - Changes to this setting aren't applied when [tamper protection][TAMPER-1] is enabled. @@ -2886,7 +2888,7 @@ Valid remediation action values are: | Name | Value | |:--|:--| | Name | Threats_ThreatSeverityDefaultAction | -| Friendly Name | Specify threat alert levels at which default action should not be taken when detected | +| Friendly Name | Specify threat alert levels at which default action shouldn't be taken when detected | | Element Name | Specify threat alert levels at which default action shouldn't be taken when detected. | | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Threats | diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 01fd23ea15..0a732b6245 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,7 +1,7 @@ --- title: System Policy CSP description: Learn more about the System Area in Policy CSP. -ms.date: 04/04/2025 +ms.date: 06/16/2025 ms.topic: generated-reference --- @@ -1203,7 +1203,7 @@ If you don't configure this policy setting, or you set it to "Enable diagnostic | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5055523](https://support.microsoft.com/help/5055523) [10.0.26100.3775] and later
✅ Windows Insider Preview | diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index cda4e5e217..41e3aef622 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -15,7 +15,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ WSUS -ms.date: 04/22/2024 +ms.date: 06/17/2025 --- # Deploy Windows client updates using Windows Server Update Services (WSUS) @@ -27,28 +27,24 @@ WSUS is a Windows Server role available in the Windows Server operating systems. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. - +> [!NOTE] +> WSUS is deprecated and is no longer adding new features. However, it continues to be supported for production deployments, and receives security and quality updates as per the product lifecycle. For more info, see [Features removed or no longer developed in Windows Server](/windows-server/get-started/removed-deprecated-features-windows-server). ## Requirements for Windows client servicing with WSUS -To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version: -- WSUS 10.0.14393 (role in Windows Server 2016) -- WSUS 10.0.17763 (role in Windows Server 2019) -- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2) -- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3. - -> [!IMPORTANT] -> Both [KB 3095113](https://support.microsoft.com/kb/3095113) and [KB 3159706](https://support.microsoft.com/kb/3159706) are included in the **Security Monthly Quality Rollup** starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a **Security Monthly Quality Rollup** released after **October 2017** since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice. ->If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see [How to Delete Upgrades in WSUS](/archive/blogs/wsus/how-to-delete-upgrades-in-wsus). +To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS on a supported operating system version: +- WSUS role in Windows Server 2016 +- WSUS role in Windows Server 2019 +- WSUS role in Windows Server 2022 +- WSUS role in Windows Server 2025 +For more information about deploying the WSUS role, see [Windows Server Update Services (WSUS) overview](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## WSUS scalability To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services). - - ## Configure automatic updates and update service location When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain. @@ -64,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin ![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png) >[!NOTE] - >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. + >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This isn't a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. 4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**. @@ -83,10 +79,8 @@ When using WSUS to manage updates on Windows client devices, start by configurin ![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png) >[!IMPORTANT] - > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations - - > [!NOTE] - > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). + > - Use Regedit.exe to check that the following key isn't enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations + > - There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). 10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**. @@ -94,21 +88,16 @@ When using WSUS to manage updates on Windows client devices, start by configurin 12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**. + ![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png) + >[!NOTE] - >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. - - ![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png) - - >[!NOTE] - >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.) + > - The URL `http://Your_WSUS_Server_FQDN:PortNumber` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. + > - The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.) As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings. ## Create computer groups in the WSUS Administration Console ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples. - You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. **To create computer groups in the WSUS Administration Console** @@ -174,7 +163,7 @@ You can now see these computers in the **Ring 3 Broad IT** computer group. ## Use Group Policy to populate deployment rings -The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. +The WSUS Administration Console provides a friendly interface from which you can manage Windows quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. **To configure WSUS to allow client-side targeting from Group Policy** @@ -240,7 +229,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group For clients that should have their feature updates approved as soon as they're available, you can configure Automatic Approval rules in WSUS. >[!NOTE] ->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update client policies branch settings do not apply to feature updates through WSUS. +>WSUS respects the client device's servicing branch. If you approve a feature update while it's still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update client policies branch settings don't apply to feature updates through WSUS. **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring** @@ -271,7 +260,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 9. In the **Automatic Approvals** dialog box, select **OK**. >[!NOTE] - >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update client policies for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. + >WSUS doesn't honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update client policies for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. Now, whenever Windows client feature updates are published to WSUS, they'll automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 9771f4d928..d795984865 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -14,7 +14,7 @@ ms.collection: appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 03/13/2024 +ms.date: 06/17/2025 --- # Overview of Windows as a service @@ -98,7 +98,7 @@ Microsoft never publishes feature updates through Windows Update on devices that > [!NOTE] > LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows). -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading. +The Long-term Servicing Channel is available only in the Windows Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading. ### Windows Insider diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 549849717d..0f6ec836e2 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier1 ms.subservice: itpro-fundamentals -ms.date: 03/13/2024 +ms.date: 06/17/2025 appliesto: - ✅ Windows 11 @@ -46,8 +46,6 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. -For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). - For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). ## OS requirements