diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index da583b8cd9..33d21ef260 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,7 +1,8 @@
---
title: WiFi CSP
description: Learn more about the WiFi CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a2a8cf4407..5b19466938 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiFi DDF file
description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 10546d7713..0e493f19d0 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard CSP
description: Learn more about the WindowsDefenderApplicationGuard CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 06f96f2518..9af969aacd 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 91e5d7b4ea..bef27c7ed9 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing CSP
description: Learn more about the WindowsLicensing CSP.
-ms.date: 08/06/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index d2abdc9fc4..22e3081e8b 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WindowsLicensing DDF file
description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 12bac7c750..253819df28 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork CSP
description: Learn more about the WiredNetwork CSP.
-ms.date: 01/18/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index 178bba80f3..9c796c3f69 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -1,7 +1,8 @@
---
title: WiredNetwork DDF file
description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider.
-ms.date: 06/28/2024
+ms.date: 02/13/2025
+ms.topic: generated-reference
---
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 711bc21aea..955dee1921 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -48,7 +48,7 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- - name: Updated Windows and Microsoft Copilot experience
+ - name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md
diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md
index d2454b1e79..6f93e76b25 100644
--- a/windows/configuration/taskbar/pinned-apps.md
+++ b/windows/configuration/taskbar/pinned-apps.md
@@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
- **Value:** content of the XML file
> [!NOTE]
-> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
+> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \< and \> entity encodings. Single and double quote characters do not need to be escaped.
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index e816d252d7..db0c863b4a 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -294,6 +294,8 @@ items:
href: update/windows-update-logs.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Checkpoint cumulative updates and Microsoft Update Catalog usage
+ href: update/catalog-checkpoint-cumulative-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
- name: Update other Microsoft products
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index 79e8211757..1f8366e62b 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -36,4 +36,6 @@ Use the table below to reference any particular content types or services endpoi
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Both |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Both |
| *.do.dsp.mp.microsoft.com | HTTP / 80 HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Connected Cache Managed in Azure |
-| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671 MQTT / 8883 HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
+| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
+| *.ubuntu.com, api.snapcraft.io | HTTP / 80 HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure |
+| packages.microsoft.com | HTTP / 80 HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure |
diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md
index f30f503e31..f8ddaef129 100644
--- a/windows/deployment/do/mcc-ent-prerequisites.md
+++ b/windows/deployment/do/mcc-ent-prerequisites.md
@@ -30,6 +30,8 @@ This article details the requirements and recommended specifications for using M
- [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
- Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
+ Note that there is no limit to the number of licensed machines that may concurrently download from a Connected Cache node.
+
## Cache node host machine requirements
### General requirements
diff --git a/windows/deployment/do/mcc-ent-release-notes.md b/windows/deployment/do/mcc-ent-release-notes.md
index 28471a7fb7..7a69747aff 100644
--- a/windows/deployment/do/mcc-ent-release-notes.md
+++ b/windows/deployment/do/mcc-ent-release-notes.md
@@ -18,16 +18,29 @@ ms.date: 10/30/2024
This article contains details about the latest releases of Connected Cache. Since Connected Cache is a preview service, some releases may contain breaking changes.
+## Install script v2.0.0.2
+
+Released on **2/7/2025**
+
+These changes only affect the installation scripts for Connected Cache. To take advantage of these changes, you'll need to redeploy your existing cache nodes using the updated installation script.
+
+### Improvements
+
+- **Removes dependency on AMQP/MQTT ports**: Cache nodes deployed using this updated installation script will no longer use AMQP (5671) or MQTT (8883) ports. This change simplifies the network configuration for cache nodes and reduces the number of ports that need to be opened in your network security group.
+- **Improves cleanup during uninstall**: Windows-hosted cache nodes will now remove port proxy rules when uninstalled using the `uninstallmcconwsl.ps1` script. This change ensures that the host machine's WSL port-forwarding rules are cleaned up properly when uninstalling Connected Cache.
+- **Changes install error codes from decimal to hex code**: Install error codes for Windows-hosted cache nodes are now displayed in hex code format, improving error code readability.
+- **Uses configured proxy to perform install**: If a proxy was configured for the Windows-hosted cache node in Azure portal, the cache node uses the specified proxy during installation.
+
## Release v1.2.1.2076_E (public preview launch)
The public preview released on **10/30/2024**
-For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. Please see the [early preview documentation page](mcc-ent-early-preview.md) for more details.
+For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. See the [early preview documentation page](mcc-ent-early-preview.md) for more details.
### Feature updates
- **Metrics and charts in Azure portal**: You can now visualize *Outbound egress* and *Volume by Content type* charts for your cache node on Azure portal. You can also create custom monitoring charts for your cache nodes. This capability is under the **Metrics** tab on Azure portal.
-- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by simply choosing the OS when creating cache nodes.
+- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by choosing the OS when creating cache nodes.
- **Ubuntu 22.04 LTS**: Cache nodes can now be deployed on Ubuntu 22.04 LTS.
- **Azure CLI support**: Cache nodes can now be created and managed via Azure CLI.
- **Proxy**: We added support for unauthenticated proxy and cloud proxy integration.
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
index 9e896b0acf..fd4a693300 100644
--- a/windows/deployment/do/mcc-ent-troubleshooting.md
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -23,8 +23,6 @@ This article contains instructions on how to troubleshoot different issues you m
This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
-### Cache node monitoring chart in the Azure portal user interface displays incorrect information
-
### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
@@ -82,6 +80,10 @@ You can expect to see the following types of log files:
1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
+### Group Policy Object conflicts with Scheduled Task registration
+
+Enabling the Group Policy Object: [Network access: Do not allow storage of passwords and credentials for network authentication](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication) will prevent the Connected Cache software from registering the scheduled tasks necessary for successful cache node registration and operation.
+
### WSL2 fails to install with message "A specified logon session doesn't exist"
If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..ce4b36fd45
--- /dev/null
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -0,0 +1,93 @@
+---
+title: Checkpoint cumulative updates and the Microsoft Update Catalog
+description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+ - ✅ Windows 11, version 24H2 and later
+ - ✅ Windows Server 2025 and later
+ms.date: 01/31/2025
+---
+
+# Checkpoint cumulative updates and Microsoft Update Catalog usage
+
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+
+## Checkpoint cumulative updates
+
+Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
+
+With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
+
+Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
+
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
+
+### Applicability
+
+A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+
+### Update Windows installation media
+
+This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+
+WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+
+
+## Updating from the Microsoft Update Catalog
+
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
+
+### Finding prior checkpoint cumulative updates
+
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+
+ > Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
+
+### Updating through checkpoint cumulative updates
+
+**Device has the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+
+Examples of eligible devices:
+
+| Device is on | Needs to install|
+|---|---|
+|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+
+**Device needs FoD or language pack customization:**
+
+Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
+
+1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
+1. Mount the install.wim file.
+1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
+1. Run `/Cleanup-Image /StartComponentCleanup`.
+1. Unmount.
+1. Run `DISM /export-image` to optimize the image size, if that's important to you.
+
+**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+
+## Related articles
+
+- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
+- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
+- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
+- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..dd9b0e1abd
--- /dev/null
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -0,0 +1,17 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.subservice: itpro-updates
+ms.service: windows-client
+ms.topic: include
+ms.date: 01/31/2025
+ms.localizationpriority: medium
+---
+
+
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e5b5cd4a0b..33f43d08f6 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 11/11/2024
+ms.date: 1/31/2024
---
# Update Windows installation media with Dynamic Update
@@ -62,7 +62,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -72,7 +72,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -81,8 +81,8 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
-### Windows 11, version 22H2 and later Dynamic Update packages
-**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
+### Windows 11, version 22H2, and later Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. The following titles are for Windows 11, version 22H2. Windows 11, version 23H2, and version 24H2 have a similar format:
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@@ -92,7 +92,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -102,7 +102,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### Windows 10, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -124,30 +124,30 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
-|-------------------------------------------|-------------------|--------------------------------|------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
-|Add language pack | 2 | 10 | 18 | |
-|Add localized optional packages | 3 | | 19 | |
-|Add font support | 4 | | 20 | |
-|Add text-to-speech | 5 | | 21 | |
-|Update Lang.ini | | | 22 | |
-|Add Features on Demand | | 11 | | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 12 | 23 | |
-|Clean up the image | 7 | 13 | 24 | |
-|Add Optional Components | | 14 | | |
-|Add .NET and .NET cumulative updates | | 15 | | |
-|Export image | 8 | 16 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|--------------------------------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack update via latest cumulative update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Optional Components | | 12 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add Setup.exe and setuphost.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 13 | 23 | |
+|Clean up the image | 7 | 14 | 24 | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
-> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
+> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
-> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+> Microsoft removes the Flash component from Windows through [KB4577586: Update for Removal of Adobe Flash Player](https://support.microsoft.com/kb/4577586). You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
@@ -157,13 +157,13 @@ The main operating system file (install.wim) might contain multiple editions of
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline. However, doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
-To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
+To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -178,7 +178,8 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These aren't required, but added to highlight when in the sequence they should be added. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO is superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you're using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
+
```powershell
#Requires -RunAsAdministrator
@@ -187,40 +188,38 @@ function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
Write-Output "$(Get-TS): Starting media refresh"
-# Declare language for showcasing adding optional localized components
-$LANG = "ja-jp"
-$LANG_FONT_CAPABILITY = "jpan"
-
-# Declare media for FOD and LPs
-# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
-# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
-# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
-$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
-
# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed
# checkpoint cumulative updates.
$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu"
-$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu"
-# Declare folders for mounted images and temp files
-$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
-$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$WORKING_PATH = "C:\mediaRefresh\temp"
-$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
-$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
-$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\CLIENT_LOF_PACKAGES_OEM.iso"
+
+# Array of Features On Demand for main OS
+# This is optional to showcase where these are added
+$FOD = @(
+'XPS.Viewer~~~~0.0.1.0'
+)
+
+# Array of Legacy Features for main OS
+# This is optional to showcase where these are added
+$OC = @(
+'MediaPlayback'
+'WindowsMediaPlayer'
+)
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-
-# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
-# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
+# Declare language for showcasing adding optional localized components
+$LANG = "ja-jp"
+$LANG_FONT_CAPABILITY = "jpan"
+
# Declare language related cabs
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
@@ -231,6 +230,14 @@ $WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
+# Declare folders for mounted images and temp files
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia\Ge\client_professional_en-us"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
+$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
+$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
@@ -241,15 +248,16 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
+
```
### Update WinRE and each main OS Windows edition
-The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
+The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
-Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@@ -262,13 +270,15 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-Foreach ($IMAGE in $WINOS_IMAGES) {
+Foreach ($IMAGE in $WINOS_IMAGES)
+{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
- if ($IMAGE.ImageIndex -eq "1") {
+ if ($IMAGE.ImageIndex -eq "1")
+ {
#
# update Windows Recovery Environment (WinRE) within this OS image
@@ -278,29 +288,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
- # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
- # packages installed.
-
-
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
-
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
@@ -308,38 +298,36 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
$theError = $_
Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
#
# Optional: Add the language to recovery environment
#
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
- Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
@@ -349,15 +337,17 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -373,6 +363,10 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
+ }
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@@ -389,35 +383,15 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# update Main OS
#
- # Add servicing stack update (Step 18 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
- # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
- # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
- # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
- # and installed first before the combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ # Add servicing stack update (Step 17 from the table). Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
- # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
- # Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Optional: Add language to main OS
+ # Optional: Add language to main OS and corresponding language experience Features on Demand
Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
- # Optional: Add a Features on Demand to the image
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -436,22 +410,47 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
- # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+ # Optional: Add additional Features On Demand
+ For ( $index = 0; $index -lt $FOD.count; $index++)#
+ {
+ Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Optional: Add Legacy Features
+ For ( $index = 0; $index -lt $OC.count; $index++)
+ {
+ Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
# Add latest cumulative update
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
- # Perform image cleanup
+ # Perform image cleanup. Some Optional Components might require the image to be booted, and thus
+ # image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ if ($LastExitCode -eq -2146498554)
+ {
+ # We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
+ # This is likely due to legacy components being added that require online operations.
+ Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
+ }
+ else
+ {
+ throw "Error: Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
- #
- # Note: If I wanted to enable additional Optional Components, I'd add these here.
- # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
- # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
- #
-
+ # Finally, we'll add .NET 3.5 and the .NET cumulative update
Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -465,7 +464,6 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Export
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
@@ -474,7 +472,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
-This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@@ -484,31 +482,14 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
-Foreach ($IMAGE in $WINPE_IMAGES) {
+Foreach ($IMAGE in $WINPE_IMAGES)
+{
# update WinPE
Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 9 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
- # This error should be caught and ignored, as the last step will be to apply the cumulative update
- # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
@@ -518,38 +499,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
- Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
-
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
@@ -558,15 +535,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -576,9 +555,14 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
- if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
+ if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
+ {
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
+ }
}
# Add latest cumulative update
@@ -588,28 +572,31 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
- if ($IMAGE.ImageIndex -eq "2") {
-
+ if ($IMAGE.ImageIndex -eq "2")
+ {
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
- if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") {
-
+ if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
+ {
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
- else {
-
+ else
+ {
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
-
}
# Dismount
@@ -618,15 +605,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
#Export WinPE
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
+
```
### Update remaining media files
-This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe and boot manager files using the previously saved versions from WinPE.
+This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe, and boot manager files using the previously saved versions from WinPE.
```powershell
#
@@ -636,14 +623,18 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
+if ($LastExitCode -ne 0)
+{
+ throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
+}
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
-if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
-
+if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
+{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
@@ -651,16 +642,15 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
-Foreach ($File in $MEDIA_NEW_FILES){
+Foreach ($File in $MEDIA_NEW_FILES)
+{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
@@ -685,4 +675,5 @@ Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
+
```
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 2df0fe24ef..ef01bc96d7 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,6 +1,6 @@
---
title: Update release cycle for Windows clients
-description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/04/2024
+ms.date: 01/31/2025
---
# Update release cycle for Windows clients
@@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
To access the optional nonsecurity preview release:
-- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
+- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
+
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@@ -83,6 +90,9 @@ Some key considerations about OOB releases include:
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 5da693649e..78f9f1690b 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
-1. **The log level** - Info, Warning, Error, Fatal Error
+2. **The log level** - Info, Warning, Error, Fatal Error
-1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-1. **The message** - Operation completed successfully.
+4. **The message** - Operation completed successfully.
See the following example:
diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
index da72341ab0..444ff9cf37 100644
--- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 00ae1403ff..c66b48114b 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,
"Remediation":[
-
+
],
"SetupPhaseInfo":null,
"SetupOperationInfo":null
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 48726194a2..5caad8feef 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index c7251d75b2..34c5e47773 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -18,7 +18,7 @@ appliesto:
> [!NOTE]
>
-> This article is a 300 level article (moderately advanced).
+> This article is a 300 level article (moderately advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
index 1033866907..4d1dcd205e 100644
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 02/13/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 9e1d97ccac..3a2a091e06 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 08/30/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index d189141607..563fffa13b 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 08/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index f0fdf74531..e69fa2a0eb 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 8e72361a5d..631c7b6aa6 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us
## What offline environments are supported?
-All currently supported
+All currently supported
The following table defines the supported combination of online and offline operating systems in USMT.
@@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in
```xml
- C:\Windows
- D:\Windows
- E:\
+ C:\Windows
+ D:\Windows
+ E:\
1
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 3adb68387b..2994c4a929 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 4ebf6ff55f..fe77583153 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 1847cce5d9..e8a0d69a2f 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 4844937b52..71da51bdda 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 1685667185..d618b669c3 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index c0e4682965..f77777e41f 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th
-
+
-->
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index f9874a4d2f..c2a0454e4b 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c
%CSIDL_PERSONAL%\* [*.doc]
-
+
```
### How does USMT process each component in an .xml file with multiple components?
@@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3
C:\* [*.mp3]
-
+
```
### \ and \ rules precedence examples
@@ -185,11 +185,11 @@ The destination computer contains the following files:
A custom **.xml** file contains the following code:
```xml
-
-
- c:\data\* [*]
-
-
+
+
+ c:\data\* [*]
+
+
```
For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file.
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 130f3031c8..c398822c63 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra
My Video
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the `
-
-
+
+
@@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the `
-
+
C:\*\Presentations\* [*]
C:\Presentations\* [*]
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 8eefa733d4..00a902de28 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index bad57314e9..098c1a8a45 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 014e48a76e..ae5b4e142e 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 354badb01a..72388d511e 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 59234776e5..9fefd6f0b4 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index 666888f9d3..fb9a10a99e 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -11,12 +11,12 @@ metadata:
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
- ms.date: 01/09/2024
+ ms.date: 01/29/2025
ms.topic: faq
title: Frequently Asked Questions
summary: |
**Applies to:**
-
+
- Windows 11
- Windows 10
@@ -30,13 +30,13 @@ sections:
How much space is needed on the destination computer?
answer: |
The destination computer needs enough available space for the following items:
-
+
- Operating system
-
+
- Applications
-
+
- Uncompressed store
-
+
- question: |
Can the files and settings be stored directly on the destination computer or is a server needed?
answer: |
@@ -47,13 +47,13 @@ sections:
- Directly on the destination computer.
To store it directly on the destination computer:
-
+
1. Create and share the directory `C:\store` on the destination computer.
-
+
1. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store`
-
+
1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
-
+
- question: |
Can data be migrated between operating systems with different languages?
answer: |
@@ -80,7 +80,7 @@ sections:
How can a folder or a certain type of file be excluded from the migration?
answer: |
The **\** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\** rules that are in the **.xml** files. For an example, see **\** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
-
+
- question: |
What happens to files that were located on a drive that don't exist on the destination computer?
answer: |
@@ -91,22 +91,22 @@ sections:
- C:\\ is the system drive on the destination computer.
the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\** rules attempt to move data to a drive that doesn't exist on the destination computer.
-
+
- name: USMT .xml Files
questions:
- question: |
Where are there examples of USMT **.xml** files?
answer: |
The following articles include examples of USMT **.xml** files:
-
+
- [Exclude files and settings](usmt-exclude-files-and-settings.md)
-
+
- [Reroute files and settings](usmt-reroute-files-and-settings.md)
-
+
- [Include files and settings](usmt-include-files-and-settings.md)
-
+
- [Custom XML examples](usmt-custom-xml-examples.md)
-
+
- question: |
Can custom **.xml** files that were written for USMT 5.0 be used?
answer: |
@@ -121,9 +121,9 @@ sections:
Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands?
answer: |
The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings.
-
+
If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- question: |
Which files can be modified and specified on the command line?
answer: |
@@ -133,20 +133,20 @@ sections:
What happens if the **.xml** files aren't specified on the command line?
answer: |
- **ScanState**
-
+
If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
-
+
- **LoadState**
-
+
If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- name: Conflicts and Precedence
questions:
- question: |
What happens when there are conflicting XML rules or conflicting objects on the destination computer?
answer: |
For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
-
+
additionalContent: |
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 38b66a02b6..950371b73e 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library
The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
For example, specify the file
-
+
`C:\Windows\Notepad.exe`
-
+
as
-
+
**c:\\Windows\[Notepad.exe\]**
-
+
Similarly, specify the directory
-
+
`C:\Windows\System32`
-
+
as
-
+
**c:\\Windows\\System32**
-
+
Note the absence of the **\[\]** characters in second example.
The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index d2cae89bc7..7c21f7e783 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 591b1d3804..0da69dfec4 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol
There are three types of components:
- Components that migrate the operating system settings.
-
+
- Components that migrate application settings.
- Components that migrate users' files.
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index c3589124d1..72231c5f35 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index feca874008..41d2a4f881 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index e5b15c352d..e46ff9f218 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index cedbe8d1f9..941df2cced 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 736881d3b3..314590b2b7 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -9,7 +9,7 @@ author: frankroj
ms.topic: conceptual
ms.localizationpriority: medium
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index f4d79a27f2..6ff87626e6 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key.
```xml
- Component to migrate only registry value string
+ Component to migrate only registry value string
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
@@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
-
+
+
@@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
+
C:\*\EngineeringDrafts\* [*]
C:\EngineeringDrafts\* [*]
@@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive
-
+
```
## Migrate a specific file
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index a4bf1f2eeb..30667f7873 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 70f159b544..27e897b01d 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 39944f9a6a..8d146557a2 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 41f319446d..2e82b3db4e 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index b5dc3eb5fe..2084dbdd22 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index f0023bfc0b..0e8726cf9a 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -7,7 +7,7 @@ author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: overview
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 20bbc09ad5..6fbc90a488 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 0d2153bbaa..74170fceed 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index 9581170803..adeaf3c10e 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 26b5f86f7a..438b71d40b 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index f002c6d337..e7a5305f00 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed
-
+
```
## Reroute a specific file
@@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin
Sample.doc into the Documents folder
-
-
+
+
C:\EngineeringDrafts\ [Sample.doc]
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 239d7be582..6e81c92b9a 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -23,7 +23,7 @@ appliesto:
- Microsoft Visual Studio
- The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio.
-
+
For more information about how to use the schema with an XML authoring environment, see the environment's documentation.
- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS).
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 24f73b72d1..a25a4bde8e 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 1254f4fef0..d269cd7597 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 57767aecf4..4b1d005a41 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index e3be3d8fd0..56ee8a1868 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 3e85b84a37..3ca79322a4 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 20c70db094..bef1f41088 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index e03e8db9c0..56cee12f98 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/18/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index a4694c75a9..fc41899980 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -1070,10 +1070,10 @@ Example:
-
DOC
@@ -1126,18 +1126,18 @@ Syntax:
For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\** element:
```xml
-
- doc
-
+
+ doc
+
```
is the same as specifying the following code below the **\** element:
```xml
-
-
-
-
+
+
+
+
```
@@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYVIDEO%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the
%CSIDL_STARTMENU%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")
-
+
@@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1969,7 +1969,7 @@ Examples:
To migrate the Sample.doc file from any drive on the source computer, use **\** as follows. If multiple files exist with the same name, all such files get migrated.
```xml
-
+
```
For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
@@ -2171,7 +2171,7 @@ For example:
```xml
- %CSIDL_COMMON_APPDATA%\QuickTime
+ %CSIDL_COMMON_APPDATA%\QuickTime
```
@@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi
-
+
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index 3b1f32fc27..21d2195393 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 818a24659e..f611d55175 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 7d1969ad11..8b1d97b433 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
index 026f05bd13..0cf0c9260b 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -1,7 +1,7 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
-ms.date: 11/19/2024
+ms.date: 02/03/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@@ -22,7 +22,12 @@ ms.collection:
> [!IMPORTANT]
> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
-Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.
+
+> [!NOTE]
+> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition).
## Key benefits
@@ -30,7 +35,18 @@ Hotpatch updates are [Monthly B release security updates](/windows/deployment/up
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
-## Operating system configuration prerequisites
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1).
+
+| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) |
+| ----- | ----- | ----- |
+| 1 | January | February and March |
+| 2 | April | May and June |
+| 3 | July | August and September |
+| 4 | October | November and December |
+
+## Operating system configuration prerequisites
To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.
@@ -40,9 +56,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
-Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
-Key value: `**HotPatchRestrictions=1**`
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+DWORD key value: HotPatchRestrictions=1
> [!IMPORTANT]
> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
@@ -66,13 +82,6 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem
> [!NOTE]
> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
-## Release cycles
-
-For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
-
-- Baseline Release Months: January, April, July, October
-- Hotpatch Release Months: February, March, May, June, August, September, November, December
-
## Enroll devices to receive Hotpatch updates
> [!NOTE]
@@ -95,3 +104,7 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices
> [!NOTE]
> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
+
+## Roll back a hotpatch update
+
+Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 8ba74fe797..7778e7edf0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
- device.autopatch.microsoft.com
|
+| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- device.autopatch.microsoft.com
|
## Delivery Optimization
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 7c41ff3d2a..4bf198648c 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -174,6 +174,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+||The following endpoint is for a public web API used by Windows and other OS-agnostic products to check for new updates. If you disable this endpoint, these products won't be able to check for and apply software updates.|TLSv1.2/HTTPS/HTTP|*.api.cdp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
|||TLSv1.2|da.xboxservices.com|
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
index 23d40c8440..f2ebb636f5 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
@@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
-- webclnt.dll/davsvc.dll
+- webclnt.dll/davsvc.dll3
- wfc.exe
- windbg.exe
- wmic.exe
@@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
+3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
+
* Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
index 8cdfe418ba..0c9fb3469f 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md
@@ -130,7 +130,9 @@ There's a defined list of SIDs that App Control recognizes as admins. If a filep
App Control's list of well-known admin SIDs are:
+```
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
+```
When filepath rules are generated using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
@@ -140,8 +142,8 @@ The following wildcards can be used in App Control filepath rules:
| Wildcard character | Meaning | Supported operating systems |
|------------ | ----------- | ----------- |
-| **`*`** | Matches zero or more characters. | Windows 11, Windows 10, and Windows Server 2022 |
-| **`?`** | Matches a single character. | Windows 11 only |
+| **`*`** | Matches zero or more characters. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **`?`** | Matches a single character. | Windows 11 and later, or Windows Server 2025 and later |
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. These macros can be used in combination with the wildcards above.
@@ -154,9 +156,9 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
| Examples | Description | Supported operating systems |
|------------ | ----------- | ----------- |
-| **C:\\Windows\\\***
**D:\\EnterpriseApps\\MyApp\\\***
**%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 11, Windows 10, and Windows Server 2022 |
-| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 11, Windows 10, and Windows Server 2022 |
-| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe**
**%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match:
*`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`*
*`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 only |
+| **C:\\Windows\\\***
**D:\\EnterpriseApps\\MyApp\\\***
**%OSDRIVE%\\Windows\\\*** | Wildcards placed at the end of a path authorize all files in the immediate path and its subdirectories recursively. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **\*\\bar.exe** | Wildcards placed at the beginning of a path allow the exact specified filename in any location. | Windows 10, Windows 11 and later, or Windows Server 2022 and later |
+| **C:\\\*\\CCMCACHE\\\*\\7z????-x64.exe**
**%OSDRIVE%\\\*\\CCMCACHE\\\*\\7z????-x64.exe** | Wildcards used in the middle of a path allow all files that match that pattern. Consider carefully all the possible matches, particularly if your policy disables the admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option. In this example, both of these hypothetical paths would match:
*`C:\WINDOWS\CCMCACHE\12345\7zabcd-x64.exe`*
*`C:\USERS\AppControlUSER\Downloads\Malware\CCMCACHE\Pwned\7zhaha-x64.exe`* | Windows 11 and later, or Windows Server 2025 and later |
Without a wildcard, the filepath rule allows only a specific file (ex. `C:\foo\bar.exe`).
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e0cd0064c8..eebfabaaa0 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -142,9 +142,10 @@
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
- "application-security/application-control/windows-defender-application-control/**/*.md": [
+ "application-security/application-control/app-control-for-business/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index 26e30724a9..3a5d20bea8 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -210,9 +210,9 @@ sections:
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
- - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
+ - question: Does Windows Hello for Business cloud Kerberos trust work with RODC present in the hybrid environment?
answer: |
- Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
+ Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication.
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png
index d5c3416a67..fffcd5b0f2 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-client-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png
index 86d43fcb2c..882c46356a 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt-2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png
index 755c1b66e0..295580ed83 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png and b/windows/security/identity-protection/hello-for-business/images/pin-reset/pin-reset-service-prompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index bc28fecee5..305932af9b 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 06/11/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
index 9bc006a4e0..3d3f9622e0 100644
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@@ -2,7 +2,7 @@
title: Transition into a passwordless deployment
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
ms.topic: concept-article
-ms.date: 10/29/2024
+ms.date: 01/30/2025
---
# Transition into a passwordless deployment
@@ -123,7 +123,7 @@ function Generate-RandomPassword{
$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
-Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset
```
If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index 421165a49b..9da8c4e609 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
-ms.date: 12/05/2024
+ms.date: 02/11/2025
---
# BitLocker recovery process
@@ -75,7 +75,7 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
-> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
+> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will continue to have access to BitLocker recovery keys for those devices that have undergone device ownership changes, unless the new device owner belongs to a custom role or adminstrative unit scope. In such an instance, the user will need to contact other scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index 05f61ccf78..75939e36c9 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
+### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
+| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index ced5288d21..3556919a26 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- - Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
+ - Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- - Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
+ - Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index c2a7ae57a8..2fc0efca6e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index daf7f89f5d..9a4865a98c 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 539eeaeda6..26a2c22a06 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
-- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 85b51dd4d1..53c870afc0 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 8fa4ab6725..9702c4afee 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
-At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section.
Server-side infrastructure requirements to support VPN device compliance include:
@@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
-> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
-> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
+> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 7199978f6c..0c0b47c65c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> 
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 3233517baa..c1c9ac3826 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: overview
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 666f60d6c1..36074af74a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index aced17dd8e..02b7c5daff 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 4fdbb86971..43f5802163 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index e5f0bc3f68..6bbae9aa58 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 05/06/2024
+ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
Once enabled, you can add the routes that should use the VPN connection.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index 0ca87d7370..2e53eeeae5 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 4b2f886e48..b9612ab0de 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 01/24/2025
+ms.date: 02/12/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -21,9 +21,9 @@ appliesto:
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that were removed, see [Windows features removed](removed-features.md).
-For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
-
-To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
+- For more information about how deprecation fits into the Windows lifecycle, see [Deprecation: What it means in the Windows lifecycle](https://techcommunity.microsoft.com/blog/windows-itpro-blog/deprecation-what-it-means-in-the-windows-lifecycle/4372457).
+- For more information about features removed on upgrade to Windows 11 from Windows 10, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
@@ -47,18 +47,19 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
+| Location History | We are deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 |
| Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 |
| Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired: - Playback of protected content in the legacy Windows Media Player on Windows 7
- Playback of protected content in a Silverlight client and Windows 8 clients
- In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
- Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
| September 2024 |
| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
-| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
+| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
-| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
+| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which tries to authenticate with Kerberos and only falls back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md). **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 |
| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
-| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
-| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
+| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to `disabled` by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
+| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits is deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
-| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there won't be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app won't be available after May 2024. This change affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you're ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |