*
+ - Clears a persistent overlay on the next boot (on/off).
+
+- **Servicing**
+ - Configures settings for UWF servicing mode.
+ - [UWF_Servicing](uwf-servicing.md)
+ - *Enable*
+ - Enables servicing mode in the next session after a restart. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.Enable](uwf-servicingenable.md)
+ - *Disable*
+ - Disables UWF servicing mode in the next session after a restart. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.Disable](uwf-servicingdisable.md)
+ - *Update-Windows*
+ - Stand-alone command to apply Windows updates to a device. Called by the master servicing script that is called by the `uwfmgr.exe servicing enable` command. We recommend that you use the `uwfmgr.exe servicing enable` command to service your UWF–protected device whenever possible. Administrator-level permissions are required to use this command.
+ - [UWF_Servicing.UpdateWindows](uwf-servicingupdatewindows.md)
+ - *Get-Config*
+ - Displays UWF servicing mode information for the current session and the next session.
+ - [UWF_Servicing](uwf-servicing.md)
+ - *Help*
+ - Displays command-line help for the `uwfmgr.exe servicing` command.
+
+## Unsupported WMI methods
+
+The following list contains the UWF WMI provider methods that are not currently supported by the **uwfmgr.exe** tool:
+
+- [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md)
+- [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md)
+- [UWF_Volume.FindExclusion](uwf-volumefindexclusion.md)
+- [UWF_Volume.RemoveAllExclusions](uwf-volumeremoveallexclusions.md)
+- [UWF_Volume.SetBindByDriveLetter](uwf-volumesetbindbydriveletter.md)
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwfoverlay.md b/windows/configuration/unified-write-filter/uwfoverlay.md
new file mode 100644
index 0000000000..01c2c8cb3b
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwfoverlay.md
@@ -0,0 +1,133 @@
+---
+title: Overlay for Unified Write Filter (UWF)
+description: Overlay for Unified Write Filter (UWF)
+ms.date: 10/02/2018
+ms.topic: reference
+---
+
+# Unified Write Filter (UWF) overlay location and size
+
+The Unified Write Filter (UWF) protects the contents of a volume by intercepting write attempts to a protected volume and redirects those write attempts to a virtual overlay.
+
+You can choose where the overlay is stored (RAM or disk), how much space is reserved, and what happens when the overlay fills up.
+
+To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device.
+
+## RAM overlay vs. disk overlay
+
+- **RAM overlay (default)**: The virtual overlay is stored in RAM, and is cleared after a reboot.
+
+ - By writing to RAM, you can reduce the wear on write-sensitive media like solid-state drives.
+ - RAM is often more limited than drive space. As the drive overlay fills up the available RAM, device performance could be reduced, and users will eventually be prompted to reboot the device. If your users are expected to make many large writes to the overlay, consider using a disk overlay instead.
+
+- **Disk overlay**: The virtual overlay is stored in a temporary location on the drive. By default, the overlay is cleared on reboot.
+
+ - You can use [freespace passthrough](#freespace-passthrough-recommended) to use additional free space on the drive beyond the reserved virtual overlay space.
+ - On Windows 10, version 1803, you can use [persistent overlay](#persistent-overlay) to allow users to save work in the virtual overlay even after a reboot.
+
+## Overlay size
+
+- Default=1024MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-size`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/MaximumOverlaySize`
+ - [WMI](uwf-overlayconfigsetmaximumsize.md): `UWF\Overlay.SetMaximumSize`
+
+When planning device rollouts, we recommend optimizing the overlay size to fit your needs.
+
+For RAM overlays, you'll need to budget some RAM for the system. For example, if the OS requires 2 GB of RAM, and your device has 4 GB of RAM, set the maximum size of the overlay to 2048MB (2 GB) or less.
+
+We recommend enabling UWF on a test device, installing the necessary apps, and putting the device through usage simulations. You can use this Powershell script to find out which files are consuming space:
+
+```powershell
+$wmiobject = get-wmiobject -Namespace "root\standardcimv2\embedded" -Class UWF_Overlay
+$files = $wmiobject.GetOverlayFiles("c:")
+$files.OverlayFiles | select-object -Property FileName,FileSize | export-csv -Path D:\output.csv
+```
+
+The amount of overlay used will depend on:
+
+- Device usage patterns.
+- Apps that can be accessed. (Some apps have high write volumes and will fill up the overlay faster.)
+- Time between resets.
+- When files are deleted, UWF removes them from the overlay and returns the freed resources to the available pool.
+
+### Warnings and critical events
+
+As the drive overlay fills up the available space, you can warn your users that they're running out of space, and prompt them to reboot the device or to run a script to clear the overlay.
+
+1. Set warning levels and critical levels (optional). When the overlay is filled to this value, UWF writes an Event Tracing for Windows (ETW) message.
+
+ - **Warning level**: Default=512MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-warningthreshold`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/WarningOverlayThreshold`
+ - [WMI](uwf-overlaysetwarningthreshold.md): `UWF_Overlay.SetWarningThreshold`
+ - **Critical level**: Default=1024MB. Set with:
+ - [CMD](uwfmgrexe.md): `uwfmgr overlay set-criticalthreshold`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `NextSession/CriticalOverlayThreshold`
+ - [WMI](uwf-overlaysetcriticalthreshold.md): `UWF_Overlay.SetCriticalThreshold`
+
+ Note, these settings will take affect after the next reboot.
+
+1. Use Task Scheduler to detect the ETW message and to warn users to wrap up their work on the device so they do not lose their content before the overlay is cleared. You can also provide a link to script to clear the contents of the overlay.
+
+ Create tasks that trigger on the event that the **System** log receives an event ID from **uwfvol**:
+
+ | Overlay usage | Source | Level | Event ID |
+ |---------------------|---------|-------------|----------|
+ | Warning threshold | uwfvol | Warning | 1 |
+ | Critical threshold | uwfvol | Error | 2 |
+ | Back to normal | uwfvol | Information | 3 |
+
+1. Reboot the device.
+
+### Freespace passthrough (recommended)
+
+On devices with a disk overlay, you can use freespace passthrough to access your drive's additional free space.
+
+You'll still need to reserve some space on the disk for the overlay. This space is used to manage the overlay, and to store overwrites, such as system updates. All other writes are sent to free space on disk. Over time, the reserved overlay will grow slower and slower, because overwrites will just keep replacing one another.
+
+On devices with a RAM overlay, you can also use freespace passthrough to access your drive's additional free space to reduce overlay usage.
+However, freespace passthrough is not recommended for use with a RAM overlay because it does not reduce wear on write-sensitive media like solid-state drives.
+
+- [CMD](uwfmgrexe.md): uwfmgr overlay set-passthrough (on|off)
+
+### Persistent overlay
+
+> [!NOTE]
+> This mode is experimental, and we recommend thoroughly testing it before deploying to multiple devices. This option is not used by default.
+
+On devices with a disk overlay, you can choose to keep working using the overlay data, even after a reboot. This can be helpful in situations where your guest users may need to access for longer periods, and may need to power off the device between uses.
+
+This option gives your IT department more control over when the overlay is reset. You can also provide your users with scripts that will help them reset the overlay on demand.
+
+To turn persistent overlay on or off:
+
+- [CMD](uwfmgrexe.md): uwfmgr overlay set-persistent (on|off)
+
+To reset the overlay:
+
+- [CMD](uwfmgrexe.md): `uwfmgr overlay reset-persistentstate on`
+
+### Overlay exhaustion
+
+If the size of the overlay is close to or equal to the maximum overlay size, any write attempts will fail, returning an error indicating that there is not enough space to complete the operation. If the overlay on your device reaches this state, your device may become unresponsive and sluggish, and you may need to restart your device.
+
+When Windows shuts down, it attempts to write a number of files to the disk. If the overlay is full, these write attempts fail, causing Windows to attempt to rewrite the files repeatedly until UWF can determine that the device is trying to shut down and resolve the issue. Attempting to shut down by using normal methods when the overlay is full or near to full can result in the device taking a long time, in some cases up to an hour or longer, to shut down.
+
+You can often avoid this issue by using UWF to automatically initiate the shut down or restart:
+
+- **Shut down**:
+ - [CMD](uwfmgrexe.md): `uwfmgr shutdown`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `ShutdownSystem`
+ - [WMI](uwf-filtershutdownsystem.md): `UWF\Filter.ShutdownSystem`
+
+- **Restart**:
+ - [CMD](uwfmgrexe.md): `uwfmgr restart`
+ - [CSP](/windows/client-management/mdm/unifiedwritefilter-csp): `RestartSystem`
+ - [WMI](uwf-filterrestartsystem.md): `UWF\Filter.RestartSystem`
+
+Windows 10 19H1 and later will automatically restart if the maximum size of the overlay is exceeded.
+
+## Related articles
+
+- [Unified Write Filter]( index.md)
diff --git a/windows/configuration/unified-write-filter/uwftroubleshooting.md b/windows/configuration/unified-write-filter/uwftroubleshooting.md
new file mode 100644
index 0000000000..b2b1465444
--- /dev/null
+++ b/windows/configuration/unified-write-filter/uwftroubleshooting.md
@@ -0,0 +1,33 @@
+---
+title: Troubleshooting Unified Write Filter (UWF)
+description: Troubleshooting Unified Write Filter (UWF)
+ms.date: 05/02/2017
+ms.topic: reference
+---
+
+# Troubleshooting Unified Write Filter (UWF)
+
+Review the log files and error message information locations for Unified Write Filter (UWF) on your Windows 10 Enterprise device.
+
+If you are having difficulties configuring Unified Write Filter (UWF) on your device, see the following information about how to find event log and error message information for troubleshooting problems with UWF.
+
+## Event logs
+
+UWF uses Windows Event Log to log events, errors and messages.
+
+* Events related to overlay consumption are sent by UWF kernel mode components and are logged in the **Windows Logs\\System** event log.
+* Event related to configuration changes and servicing logs are sent by UWF user mode components:
+ * Error messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Admin** event log.
+ * Informational messages are logged in the **Applications and Services Logs\\Microsoft\\Windows\\UnifiedWriteFilter\\Operational** event log.
+
+## Related articles
+
+[Unified Write Filter]( index.md)
+
+[Common write filter exclusions](uwfexclusions.md)
+
+[Service UWF-protected devices](service-uwf-protected-devices.md)
+
+[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
+
+[uwfmgr.exe](uwfmgrexe.md)
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 3d6cd0975b..1a012b9911 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -294,6 +294,8 @@ items:
href: update/windows-update-logs.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Checkpoint cumulative updates and Microsoft Update Catalog usage
+ href: update/catalog-checkpoint-cumulative-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
- name: Update other Microsoft products
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index 125aed12f4..a09f4f9a76 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -29,9 +29,9 @@ Microsoft Connected Cache deployed directly to Windows relies on [Windows Subsys
## Supported scenarios and configurations
-Microsoft Connected Cache for Enterprise and Education (preview) is intended to support the following content delivery scenarios:
+Microsoft Connected Cache for Enterprise and Education (preview) is intended to support all Windows cloud downloads that use Delivery Optimization including, but not limited to, the following content delivery scenarios:
-- Pre-provisioning of devices using Windows Autopilot
+- Windows Autopilot deployment scenarios
- Co-managed clients that get monthly updates and Win32 apps from Microsoft Intune
- Cloud-only managed devices, such as Intune-enrolled devices without the Configuration Manager client, that get monthly updates and Win32 apps from Microsoft Intune
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
index c814c909f2..9e896b0acf 100644
--- a/windows/deployment/do/mcc-ent-troubleshooting.md
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -11,7 +11,7 @@ appliesto:
- ✅ Windows 11
- ✅ Supported Linux distributions
- ✅ Microsoft Connected Cache for Enterprise
-ms.date: 10/30/2024
+ms.date: 01/15/2025
---
@@ -118,7 +118,7 @@ You can use Task Scheduler on the host machine to check the status of this sched
### Cache node successfully deployed but not serving requests
-If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation.
+If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation. Since WSL 2 uses a virtualized ethernet adapter by default, port forwarding rules are needed to allow traffic to reach the WSL 2 instance from your LAN. For more information, see [Accessing network applications with WSL](/windows/wsl/networking#accessing-a-wsl-2-distribution-from-your-local-area-network-lan).
To check your host machine's port forwarding rules, use the following PowerShell command.
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index a5c2e9f782..26322219d3 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -15,7 +15,7 @@ metadata:
appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ms.date: 05/23/2024
+ ms.date: 01/14/2025
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache
@@ -35,10 +35,10 @@ sections:
answer: |
- Azure subscription
- Hardware to host Microsoft Connected Cache
- - Ubuntu 20.04 LTS on a physical server or VM of your choice.
+ - Ubuntu 22.04 LTS on a physical server or VM of your choice.
> [!NOTE]
- > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
+ > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS.
The following are recommended hardware configurations:
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index 284269f52e..5b9d4a5f66 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2024
---
# Operator sign up and service onboarding for Microsoft Connected Cache
@@ -36,7 +36,7 @@ Before you begin sign up, ensure you have the following components:
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
-1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS.
+1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 22.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index dbced5230c..2eb833af48 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2025
---
# Support and troubleshooting
@@ -97,6 +97,15 @@ Rerun the IoT Edge Check command to validate proper connectivity:
```bash
iotedge check -verbose
```
+
+
+## Updating from Ubuntu 20.04 to 22.04
+You can now provision Microsoft Connected Cache for ISP on Ubuntu 22.04.
+If you have a cache node provisioned on Ubuntu 20.04, you will need to uninstall it first before updating to Ubuntu 22.04.
+Once you have updated the system, download the provisioning package from Azure portal and run the provisioning script on the portal.
+For more information on provisioning cache node, visit, [Create, provision and deploy cache node](mcc-isp-create-provision-deploy.md#provision-your-server).
+
+
## Diagnose and Solve Problems
@@ -110,6 +119,7 @@ Within **Diagnose and solve problems**, select **Troubleshoot** under the type o
:::image type="content" source="images/mcc-isp-diagnose-solve-troubleshoot.png" alt-text="A screenshot of Azure portal showing the option to select Troubleshoot to continue troubleshooting common issues related to the installation of Microsoft Connected Cache." lightbox="images/mcc-isp-diagnose-solve-troubleshoot.png":::
+
## Steps to obtain an Azure subscription ID
To onboard onto Microsoft Connected Cache, you'll need an Azure subscription ID. Use the following steps to obtain your subscription ID:
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index f3d3079534..6df9fd0b0b 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -12,7 +12,7 @@ ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ Microsoft Connected Cache for ISPs
-ms.date: 05/23/2024
+ms.date: 01/14/2025
---
# Enhancing cache performance
@@ -21,7 +21,7 @@ To make sure you're maximizing the performance of your cache node, review the fo
#### OS requirements
-The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
+The Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. Install Ubuntu 22.04 LTS on a physical server or VM of your choice.
#### NIC requirements
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..ce4b36fd45
--- /dev/null
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -0,0 +1,93 @@
+---
+title: Checkpoint cumulative updates and the Microsoft Update Catalog
+description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+ - ✅ Windows 11, version 24H2 and later
+ - ✅ Windows Server 2025 and later
+ms.date: 01/31/2025
+---
+
+# Checkpoint cumulative updates and Microsoft Update Catalog usage
+
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+
+## Checkpoint cumulative updates
+
+Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
+
+With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
+
+Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
+
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
+
+### Applicability
+
+A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+
+### Update Windows installation media
+
+This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+
+WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+
+
+## Updating from the Microsoft Update Catalog
+
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
+
+### Finding prior checkpoint cumulative updates
+
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+
+ > Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
+
+### Updating through checkpoint cumulative updates
+
+**Device has the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+
+Examples of eligible devices:
+
+| Device is on | Needs to install|
+|---|---|
+|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+
+**Device needs FoD or language pack customization:**
+
+Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
+
+1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
+1. Mount the install.wim file.
+1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
+1. Run `/Cleanup-Image /StartComponentCleanup`.
+1. Unmount.
+1. Run `DISM /export-image` to optimize the image size, if that's important to you.
+
+**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
+
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+
+## Related articles
+
+- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
+- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
+- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
+- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..dd9b0e1abd
--- /dev/null
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -0,0 +1,17 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.subservice: itpro-updates
+ms.service: windows-client
+ms.topic: include
+ms.date: 01/31/2025
+ms.localizationpriority: medium
+---
+
+
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index be6e1720f3..d36040300b 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 11/11/2024
+ms.date: 1/31/2024
---
# Update Windows installation media with Dynamic Update
@@ -62,7 +62,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -72,7 +72,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -81,8 +81,8 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
-### Windows 11, version 22H2 and later Dynamic Update packages
-**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
+### Windows 11, version 22H2, and later Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. The following titles are for Windows 11, version 22H2. Windows 11, version 23H2, and version 24H2 have a similar format:
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@@ -92,7 +92,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -102,7 +102,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### Windows 10, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -124,30 +124,30 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
-|-------------------------------------------|-------------------|--------------------------------|------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
-|Add language pack | 2 | 10 | 18 | |
-|Add localized optional packages | 3 | | 19 | |
-|Add font support | 4 | | 20 | |
-|Add text-to-speech | 5 | | 21 | |
-|Update Lang.ini | | | 22 | |
-|Add Features on Demand | | 11 | | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 12 | 23 | |
-|Clean up the image | 7 | 13 | 24 | |
-|Add Optional Components | | 14 | | |
-|Add .NET and .NET cumulative updates | | 15 | | |
-|Export image | 8 | 16 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|--------------------------------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack update via latest cumulative update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Optional Components | | 12 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add Setup.exe and setuphost.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 13 | 23 | |
+|Clean up the image | 7 | 14 | 24 | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
-> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
+> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
-> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+> Microsoft removes the Flash component from Windows through [KB4577586: Update for Removal of Adobe Flash Player](https://support.microsoft.com/kb/4577586). You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
@@ -157,13 +157,13 @@ The main operating system file (install.wim) might contain multiple editions of
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline. However, doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
-To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
+To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -178,7 +178,8 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These aren't required, but added to highlight when in the sequence they should be added. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO is superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you're using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
+
```powershell
#Requires -RunAsAdministrator
@@ -187,40 +188,38 @@ function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
Write-Output "$(Get-TS): Starting media refresh"
-# Declare language for showcasing adding optional localized components
-$LANG = "ja-jp"
-$LANG_FONT_CAPABILITY = "jpan"
-
-# Declare media for FOD and LPs
-# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
-# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
-# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
-$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
-
# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed
# checkpoint cumulative updates.
$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu"
-$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu"
-# Declare folders for mounted images and temp files
-$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
-$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$WORKING_PATH = "C:\mediaRefresh\temp"
-$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
-$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
-$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\CLIENT_LOF_PACKAGES_OEM.iso"
+
+# Array of Features On Demand for main OS
+# This is optional to showcase where these are added
+$FOD = @(
+'XPS.Viewer~~~~0.0.1.0'
+)
+
+# Array of Legacy Features for main OS
+# This is optional to showcase where these are added
+$OC = @(
+'MediaPlayback'
+'WindowsMediaPlayer'
+)
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-
-# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
-# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
+# Declare language for showcasing adding optional localized components
+$LANG = "ja-jp"
+$LANG_FONT_CAPABILITY = "jpan"
+
# Declare language related cabs
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
@@ -231,6 +230,14 @@ $WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
+# Declare folders for mounted images and temp files
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia\Ge\client_professional_en-us"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
+$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
+$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
@@ -241,15 +248,16 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
+
```
### Update WinRE and each main OS Windows edition
-The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
+The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
-Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@@ -262,13 +270,15 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-Foreach ($IMAGE in $WINOS_IMAGES) {
+Foreach ($IMAGE in $WINOS_IMAGES)
+{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
- if ($IMAGE.ImageIndex -eq "1") {
+ if ($IMAGE.ImageIndex -eq "1")
+ {
#
# update Windows Recovery Environment (WinRE) within this OS image
@@ -278,29 +288,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
- # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
- # packages installed.
-
-
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
-
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
@@ -308,38 +298,36 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
$theError = $_
Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
#
# Optional: Add the language to recovery environment
#
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
- Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
@@ -349,15 +337,17 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -373,6 +363,10 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
+ }
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@@ -389,35 +383,15 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# update Main OS
#
- # Add servicing stack update (Step 18 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
- # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
- # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
- # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
- # and installed first before the combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ # Add servicing stack update (Step 17 from the table). Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
- # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
- # Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Optional: Add language to main OS
+ # Optional: Add language to main OS and corresponding language experience Features on Demand
Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
- # Optional: Add a Features on Demand to the image
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -436,22 +410,47 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
- # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+ # Optional: Add additional Features On Demand
+ For ( $index = 0; $index -lt $FOD.count; $index++)#
+ {
+ Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Optional: Add Legacy Features
+ For ( $index = 0; $index -lt $OC.count; $index++)
+ {
+ Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
# Add latest cumulative update
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
- # Perform image cleanup
+ # Perform image cleanup. Some Optional Components might require the image to be booted, and thus
+ # image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ if ($LastExitCode -eq -2146498554)
+ {
+ # We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
+ # This is likely due to legacy components being added that require online operations.
+ Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
+ }
+ else
+ {
+ throw "Error: Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
- #
- # Note: If I wanted to enable additional Optional Components, I'd add these here.
- # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
- # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
- #
-
+ # Finally, we'll add .NET 3.5 and the .NET cumulative update
Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -465,7 +464,6 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Export
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
@@ -474,7 +472,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
-This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@@ -484,31 +482,14 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
-Foreach ($IMAGE in $WINPE_IMAGES) {
+Foreach ($IMAGE in $WINPE_IMAGES)
+{
# update WinPE
Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 9 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
- # This error should be caught and ignored, as the last step will be to apply the cumulative update
- # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
@@ -518,38 +499,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
- Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
-
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
@@ -558,15 +535,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -576,9 +555,14 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
- if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
+ if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
+ {
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
+ }
}
# Add latest cumulative update
@@ -588,28 +572,31 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
- if ($IMAGE.ImageIndex -eq "2") {
-
+ if ($IMAGE.ImageIndex -eq "2")
+ {
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
- if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") {
-
+ if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
+ {
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
- else {
-
+ else
+ {
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
-
}
# Dismount
@@ -618,15 +605,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
#Export WinPE
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
+
```
### Update remaining media files
-This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe and boot manager files using the previously saved versions from WinPE.
+This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe, and boot manager files using the previously saved versions from WinPE.
```powershell
#
@@ -636,14 +623,18 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
+if ($LastExitCode -ne 0)
+{
+ throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
+}
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
-if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
-
+if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
+{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
@@ -651,16 +642,15 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
-Foreach ($File in $MEDIA_NEW_FILES){
+Foreach ($File in $MEDIA_NEW_FILES)
+{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
@@ -685,4 +675,5 @@ Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
+
```
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 0f7b0fe8c7..818669e001 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,6 +1,6 @@
---
title: Update release cycle for Windows clients
-description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/04/2024
+ms.date: 01/31/2025
---
# Update release cycle for Windows clients
@@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
@@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
To access the optional nonsecurity preview release:
-- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
+- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
+
+
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
@@ -83,6 +90,9 @@ Some key considerations about OOB releases include:
- Critical OOB releases are automatically available to WSUS and Windows Update client policies, just like the monthly security update releases.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 85af66e440..f8476b518e 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -15,48 +15,31 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 12/08/2023
+ms.date: 1/22/2025
---
# Servicing stack updates
## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. [CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as:
-## Why should servicing stack updates be installed and kept up to date?
-
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't have the latest servicing stack update installed, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+- Deployment Image Servicing and Management (DISM)
+- System File Checker (SFC)
+- Changing Windows features or roles
+- Component repair
-## When are they released?
-
-Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions, a servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly security update. New servicing stack updates are classified as `Security` with a severity rating of `Critical`.
+[CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
## What's the difference between a servicing stack update and a cumulative update?
-Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates.
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-
-Microsoft publishes all cumulative updates and servicing stack updates for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in Windows Server Update Services (WSUS).
-
-## Is there any special guidance?
-
-Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
-
-Most users don't need to install an isolated servicing stack update. In the rare case that you need to install an isolated servicing stack update, Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
-
-## Installation notes
-
-* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
-* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive.
-* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
-* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
-* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
-
-## Simplifying on-premises deployment of servicing stack updates
-
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both WSUS and the Microsoft Update Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382), released in February of 2021.
+Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article.
+## When are they released?
+
+Changes in the servicing stack are developed and released as part of the monthly cumulative update depending on new issues or vulnerabilities. In rare occasions, a prerequisite servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly cumulative update. Out of band servicing stack updates are classified as Security with a severity rating of Critical.
+
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 5da693649e..78f9f1690b 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements:
1. **The date and time** - 2023-09-08 09:20:05
-1. **The log level** - Info, Warning, Error, Fatal Error
+2. **The log level** - Info, Warning, Error, Fatal Error
-1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
-1. **The message** - Operation completed successfully.
+4. **The message** - Operation completed successfully.
See the following example:
diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
index da72341ab0..444ff9cf37 100644
--- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.service: windows-client
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 00ae1403ff..c66b48114b 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -12,7 +12,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,
"Remediation":[
-
+
],
"SetupPhaseInfo":null,
"SetupOperationInfo":null
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 48726194a2..5caad8feef 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index c7251d75b2..34c5e47773 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -8,7 +8,7 @@ author: frankroj
ms.localizationpriority: medium
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/18/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -18,7 +18,7 @@ appliesto:
> [!NOTE]
>
-> This article is a 300 level article (moderately advanced).
+> This article is a 300 level article (moderately advanced).
>
> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section.
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
index 1033866907..4d1dcd205e 100644
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.subservice: itpro-deploy
-ms.date: 02/13/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 9e1d97ccac..3a2a091e06 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 08/30/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index d189141607..563fffa13b 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 08/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index f0fdf74531..e69fa2a0eb 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 8e72361a5d..631c7b6aa6 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us
## What offline environments are supported?
-All currently supported
+All currently supported
The following table defines the supported combination of online and offline operating systems in USMT.
@@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in
```xml
- C:\Windows
- D:\Windows
- E:\
+ C:\Windows
+ D:\Windows
+ E:\
1
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 3adb68387b..2994c4a929 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 4ebf6ff55f..fe77583153 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 1847cce5d9..e8a0d69a2f 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 4844937b52..71da51bdda 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 1685667185..d618b669c3 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index c0e4682965..f77777e41f 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th
-
+
-->
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index f9874a4d2f..c2a0454e4b 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c
%CSIDL_PERSONAL%\* [*.doc]
-
+
```
### How does USMT process each component in an .xml file with multiple components?
@@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3
C:\* [*.mp3]
-
+
```
### \ and \ rules precedence examples
@@ -185,11 +185,11 @@ The destination computer contains the following files:
A custom **.xml** file contains the following code:
```xml
-
-
- c:\data\* [*]
-
-
+
+
+ c:\data\* [*]
+
+
```
For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file.
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 130f3031c8..c398822c63 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra
My Video
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the `
-
-
+
+
@@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the `
-
+
C:\*\Presentations\* [*]
C:\Presentations\* [*]
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index 8eefa733d4..00a902de28 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index bad57314e9..098c1a8a45 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 014e48a76e..ae5b4e142e 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 354badb01a..72388d511e 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 59234776e5..9fefd6f0b4 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index 666888f9d3..fb9a10a99e 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -11,12 +11,12 @@ metadata:
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
- ms.date: 01/09/2024
+ ms.date: 01/29/2025
ms.topic: faq
title: Frequently Asked Questions
summary: |
**Applies to:**
-
+
- Windows 11
- Windows 10
@@ -30,13 +30,13 @@ sections:
How much space is needed on the destination computer?
answer: |
The destination computer needs enough available space for the following items:
-
+
- Operating system
-
+
- Applications
-
+
- Uncompressed store
-
+
- question: |
Can the files and settings be stored directly on the destination computer or is a server needed?
answer: |
@@ -47,13 +47,13 @@ sections:
- Directly on the destination computer.
To store it directly on the destination computer:
-
+
1. Create and share the directory `C:\store` on the destination computer.
-
+
1. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store`
-
+
1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
-
+
- question: |
Can data be migrated between operating systems with different languages?
answer: |
@@ -80,7 +80,7 @@ sections:
How can a folder or a certain type of file be excluded from the migration?
answer: |
The **\** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\** rules that are in the **.xml** files. For an example, see **\** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
-
+
- question: |
What happens to files that were located on a drive that don't exist on the destination computer?
answer: |
@@ -91,22 +91,22 @@ sections:
- C:\\ is the system drive on the destination computer.
the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\** rules attempt to move data to a drive that doesn't exist on the destination computer.
-
+
- name: USMT .xml Files
questions:
- question: |
Where are there examples of USMT **.xml** files?
answer: |
The following articles include examples of USMT **.xml** files:
-
+
- [Exclude files and settings](usmt-exclude-files-and-settings.md)
-
+
- [Reroute files and settings](usmt-reroute-files-and-settings.md)
-
+
- [Include files and settings](usmt-include-files-and-settings.md)
-
+
- [Custom XML examples](usmt-custom-xml-examples.md)
-
+
- question: |
Can custom **.xml** files that were written for USMT 5.0 be used?
answer: |
@@ -121,9 +121,9 @@ sections:
Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands?
answer: |
The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings.
-
+
If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- question: |
Which files can be modified and specified on the command line?
answer: |
@@ -133,20 +133,20 @@ sections:
What happens if the **.xml** files aren't specified on the command line?
answer: |
- **ScanState**
-
+
If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
-
+
- **LoadState**
-
+
If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`.
-
+
- name: Conflicts and Precedence
questions:
- question: |
What happens when there are conflicting XML rules or conflicting objects on the destination computer?
answer: |
For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
-
+
additionalContent: |
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 38b66a02b6..950371b73e 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library
The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
For example, specify the file
-
+
`C:\Windows\Notepad.exe`
-
+
as
-
+
**c:\\Windows\[Notepad.exe\]**
-
+
Similarly, specify the directory
-
+
`C:\Windows\System32`
-
+
as
-
+
**c:\\Windows\\System32**
-
+
Note the absence of the **\[\]** characters in second example.
The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index d2cae89bc7..7c21f7e783 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 591b1d3804..0da69dfec4 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol
There are three types of components:
- Components that migrate the operating system settings.
-
+
- Components that migrate application settings.
- Components that migrate users' files.
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index c3589124d1..72231c5f35 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index feca874008..41d2a4f881 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index e5b15c352d..e46ff9f218 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index cedbe8d1f9..941df2cced 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 736881d3b3..314590b2b7 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -9,7 +9,7 @@ author: frankroj
ms.topic: conceptual
ms.localizationpriority: medium
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 01/29/2025
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index f4d79a27f2..6ff87626e6 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key.
```xml
- Component to migrate only registry value string
+ Component to migrate only registry value string
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
@@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
-
+
+
@@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin
-
+
C:\*\EngineeringDrafts\* [*]
C:\EngineeringDrafts\* [*]
@@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive
-
+
```
## Migrate a specific file
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index a4bf1f2eeb..30667f7873 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 70f159b544..27e897b01d 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 39944f9a6a..8d146557a2 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 41f319446d..2e82b3db4e 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index b5dc3eb5fe..2084dbdd22 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index f0023bfc0b..0e8726cf9a 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -7,7 +7,7 @@ author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: overview
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 20bbc09ad5..6fbc90a488 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 0d2153bbaa..74170fceed 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.collection:
- highpri
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index 9581170803..adeaf3c10e 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 26b5f86f7a..438b71d40b 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index f002c6d337..e7a5305f00 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed
-
+
```
## Reroute a specific file
@@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin
Sample.doc into the Documents folder
-
-
+
+
C:\EngineeringDrafts\ [Sample.doc]
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 239d7be582..6e81c92b9a 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -23,7 +23,7 @@ appliesto:
- Microsoft Visual Studio
- The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio.
-
+
For more information about how to use the schema with an XML authoring environment, see the environment's documentation.
- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS).
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 24f73b72d1..a25a4bde8e 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 04/30/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 1254f4fef0..d269cd7597 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 57767aecf4..4b1d005a41 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index e3be3d8fd0..56ee8a1868 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 3e85b84a37..3ca79322a4 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 20c70db094..bef1f41088 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index e03e8db9c0..56cee12f98 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/18/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index a4694c75a9..fc41899980 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
@@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file:
%HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang]
DWORD
00000000
-
+
```
## \
@@ -1070,10 +1070,10 @@ Example:
-
DOC
@@ -1126,18 +1126,18 @@ Syntax:
For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\** element:
```xml
-
- doc
-
+
+ doc
+
```
is the same as specifying the following code below the **\** element:
```xml
-
-
-
-
+
+
+
+
```
@@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYVIDEO%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
@@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the
%CSIDL_STARTMENU%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")
-
+
@@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file:
%CSIDL_MYMUSIC%
-
+
MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
+
@@ -1969,7 +1969,7 @@ Examples:
To migrate the Sample.doc file from any drive on the source computer, use **\** as follows. If multiple files exist with the same name, all such files get migrated.
```xml
-
+
```
For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
@@ -2171,7 +2171,7 @@ For example:
```xml
- %CSIDL_COMMON_APPDATA%\QuickTime
+ %CSIDL_COMMON_APPDATA%\QuickTime
```
@@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi
-
+
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index 3b1f32fc27..21d2195393 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 818a24659e..f611d55175 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 7d1969ad11..8b1d97b433 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
-ms.date: 01/09/2024
+ms.date: 01/29/2025
ms.topic: conceptual
ms.subservice: itpro-deploy
appliesto:
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
index efb01d9aa2..d92f402704 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -20,7 +20,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
> [!IMPORTANT]
-> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
@@ -40,14 +40,14 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati
### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)
-This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key:
-Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**`
-Key value: `**HotPatchRestrictions=1**`
+This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key:
+Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management`
+DWORD key value: HotPatchRestrictions=1
-> [!IMPORTANT:]
-> This setting is required because it forces the operating system to use the emulation x86-only binaries insetad of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
+> [!IMPORTANT]
+> This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices.
-If you choose to no longer use Hotpatch updates, clear the CHPE disasble flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.
+If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage.
## Eligible devices
@@ -76,7 +76,7 @@ For more information about the release calendar for Hotpatch updates, see [Relea
## Enroll devices to receive Hotpatch updates
> [!NOTE]
-> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
+> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
**To enroll devices to receive Hotpatch updates:**
@@ -94,4 +94,4 @@ For more information about the release calendar for Hotpatch updates, see [Relea
These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
> [!NOTE]
-> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings will still apply.
+> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
index cce3435eec..ffcd082e07 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
@@ -78,6 +78,9 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat
> [!IMPORTANT]
> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> [!CAUTION]
+> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports.
+
## Rename an Autopatch group
**To rename an Autopatch group:**
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
index ddab13c440..e968491819 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -68,7 +68,7 @@ For deployment rings set to **Automatic**, you can choose the deferral period fo
The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period.
-The deferral period can be set from 0 to 14 days, and it can be different for each deployment ring.
+The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring.
> [!NOTE]
> The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index c7543c92be..138807e7f0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
- device.autopatch.microsoft.com
|
+| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
- devicelistenerprod.microsoft.com
- login.windows.net
- device.autopatch.microsoft.com
|
## Delivery Optimization
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
index 4ee7ef2757..42881a0f12 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md
@@ -43,7 +43,7 @@ All App Control for Business policy changes should be deployed in audit mode bef
## Choose how to deploy App Control policies
> [!IMPORTANT]
-> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
+> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. We recommend [deploying via script](deploy-appcontrol-policies-with-script.md) in this case.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
index 23d40c8440..f2ebb636f5 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md
@@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
-- webclnt.dll/davsvc.dll
+- webclnt.dll/davsvc.dll3
- wfc.exe
- windbg.exe
- wmic.exe
@@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe.
+3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies.
+
* Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
index df6cb4eff5..67506d5785 100644
--- a/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules.md
@@ -3150,7 +3150,6 @@ The following recommended blocklist xml policy file can also be downloaded from
-
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
index c8bb39fb47..617ba5eb29 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
@@ -9,7 +9,7 @@ appliesto:
# CiTool technical reference
-CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
+CiTool makes App Control for Business policy management easier for IT admins. You can use this tool to manage App Control for Business policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's included in the Windows images starting with Windows 11, version 22H2, and Windows Server 2025.
## Policy commands
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
index c8ed951135..c2de68aab3 100644
--- a/windows/security/application-security/application-isolation/toc.yml
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -1,20 +1,16 @@
items:
- name: Microsoft Defender Application Guard (MDAG)
href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge standalone mode
- href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge enterprise mode and enterprise management 🔗
- href: /deployedge/microsoft-edge-security-windows-defender-application-guard
-- name: MDAG for Microsoft Office
- href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
-- name: MDAG configure via MDM 🔗
- href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+ items:
+ - name: MDAG for Microsoft Edge standalone mode
+ href: microsoft-defender-application-guard/md-app-guard-overview.md
+ - name: MDAG for Microsoft Edge enterprise mode and enterprise management 🔗
+ href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+ - name: MDAG for Microsoft Office
+ href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+ - name: Configure MDAG via MDM 🔗
+ href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
- name: App containers 🔗
href: /virtualization/windowscontainers/about
- name: Windows Sandbox
- href: windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+ href: windows-sandbox/index.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/index.md b/windows/security/application-security/application-isolation/windows-sandbox/index.md
new file mode 100644
index 0000000000..90957adc4b
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/index.md
@@ -0,0 +1,43 @@
+---
+title: Windows Sandbox
+description: Windows Sandbox overview
+ms.topic: overview
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox
+
+Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It's ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience.
+
+The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly.
+
+> [!NOTE]
+> Starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot.
+
+Windows Sandbox offers the following features:
+
+- **Part of Windows**: Everything required for this feature is included in the supported Windows editions like Pro, Enterprise, and Education. There's no need to maintain a separate VM installation.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient**: Takes a few seconds to launch, supports virtual GPU, and has smart memory management that optimizes memory footprint.
+
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network.
+
+WSB can be used without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can use WSB:
+
+- **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+- **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+- **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details.
+- **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine.
+- **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies!
+
+> [!NOTE]
+> Windows Sandbox currently doesn't allow multiple instances to run simultaneously.
+
+
+[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
new file mode 100644
index 0000000000..9654e55dcd
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml
@@ -0,0 +1,26 @@
+items:
+- name: Windows Sandbox
+ href: index.md
+- name: Overview
+ expanded: true
+ items:
+ - name: Windows Sandbox versions
+ href: windows-sandbox-versions.md
+ - name: Architecture
+ href: windows-sandbox-architecture.md
+- name: Install Windows Sandbox
+ href: windows-sandbox-install.md
+- name: Use & configure Windows Sandbox
+ href: windows-sandbox-configure-using-wsb-file.md
+- name: Windows Sandbox command line interface
+ href: windows-sandbox-cli.md
+- name: Tutorials
+ items:
+ - name: Sample configuration files
+ href: windows-sandbox-sample-configuration.md
+- name: WindowsSandbox Policy CSP 🔗
+ href: /windows/client-management/mdm/policy-csp-windowssandbox
+- name: Frequently asked questions
+ href: windows-sandbox-faq.yml
+- name: Troubleshooting
+ href: windows-sandbox-troubleshoot.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
index 0da205053a..fcb9b56ddc 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
@@ -2,7 +2,7 @@
title: Windows Sandbox architecture
description: Windows Sandbox architecture
ms.topic: conceptual
-ms.date: 03/26/2024
+ms.date: 09/09/2024
---
# Windows Sandbox architecture
@@ -27,18 +27,10 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
## Memory sharing
-Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when `ntdll.dll` is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
-## Integrated kernel scheduler
-
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
-
-
-
-Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
-
## WDDM GPU virtualization
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
new file mode 100644
index 0000000000..c181a80a91
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md
@@ -0,0 +1,101 @@
+---
+title: Windows Sandbox command line
+description: Windows Sandbox command line interface
+ms.topic: how-to
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox command line interface
+
+Starting with Windows 11, version 24H2, the Windows Command Line Interface (CLI) offers powerful tools for creating, managing, and controlling sandboxes, executing commands, and sharing folders within sandbox sessions. This functionality is especially valuable for scripting, task automation, and improving development workflows. In this section, you'll explore how the Windows Sandbox CLI operates, with examples demonstrating how to use each command to enhance your development process.
+
+**Common parameters**:
+
+- `--raw`: Formats all outputs in JSON format.
+- `-?, -h, --help`: Show help and usage information
+
+## Start
+
+The start command creates and launches a new sandbox. The command returns the sandbox ID, which is a unique identifier for the sandbox. The sandbox ID can be used to refer to the sandbox in other commands.
+
+- `--id `: ID of the Windows Sandbox environment.
+- `--c, --config `: Formatted string with the settings that should be used to create the Windows Sandbox environment.
+
+**Examples**:
+
+- Create a Windows Sandbox environment with the default settings:
+
+ ```cmd
+ wsb start
+ ```
+
+- Create a Windows Sandbox environment with a custom configuration:
+
+ ```cmd
+ wsb start --config "Disabled"
+ ```
+
+## List
+
+The list command displays a table that shows the information the running Windows Sandbox sessions for the current user. The table includes the sandbox ID. The status can be either running or stopped. The uptime is the duration that the sandbox has been running.
+
+```cmd
+wsb list
+```
+
+## Exec
+
+The exec command executes a command in the sandbox. The command takes two arguments: the sandbox ID and the command to execute. The command can be either a built-in command or an executable file. The exec command runs the command in the sandbox and returns the exit code. The exec command can also take optional arguments that are passed to the process started in the sandbox.
+
+> [!NOTE]
+> Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox.
+
+An active user session is required to execute a command in the context of the currently logged on user. Therefore, before running this command a remote desktop connection should be established. This can be done using the [connect](#connect) command.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox.
+- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command runs in the system context. If the ExistingLogin option is selected, the command runs in the currently active user session or fails if there's no active user session.
+- `-d, --working-directory `: Directory to execute command in.
+
+```cmd
+wsb exec –-id 12345678-1234-1234-1234-1234567890AB -c app.exe -r System
+```
+
+## Stop
+
+The stop command stops a running Windows Sandbox session. The command takes the sandbox ID as an argument.
+
+The stop command terminates the sandbox process and releases the resources allocated to the sandbox. The stop command also closes the window that shows the sandbox desktop.
+
+```cmd
+wsb stop --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## Share
+
+The share command shares a host folder with the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder.
+
+- `--id ` (REQUIRED): ID of the Windows Sandbox environment.
+- `-f, --host-path ` (REQUIRED): Path to folder that is shared from the host.
+- `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox.
+- `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder.
+
+```cmd
+wsb share --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write
+```
+
+## Connect
+
+The connect command starts a remote session within the sandbox. The command takes the sandbox ID as an argument. The connect command opens a new window with a remote desktop session. The connect command allows the user to interact with the sandbox using the mouse and keyboard.
+
+```cmd
+wsb connect --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## IP
+
+The ip command displays the IP address of the sandbox. The command takes the sandbox ID as an argument.
+
+```cmd
+wsb ip --id 12345678-1234-1234-1234-1234567890AB
+```
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 0de253e2e9..f1a42226e3 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,11 +1,32 @@
---
-title: Windows Sandbox configuration
-description: Windows Sandbox configuration
+title: Use and configure Windows Sandbox
+description: Use and configure Windows Sandbox
ms.topic: how-to
-ms.date: 03/26/2024
+ms.date: 09/09/2024
---
-# Windows Sandbox configuration
+# Use and configure Windows Sandbox
+
+To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with maximum capacity of 4GB memory with the following properties:
+
+- **vGPU (virtualized GPU)**: Enabled on non-Arm64 devices.
+- **Networking**: Enabled. The sandbox uses the Hyper-V default switch.
+- **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox.
+- **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox.
+- **Protected client**: Disabled. The sandbox doesn't use increased security settings on the Remote Desktop Protocol (RDP) session.
+- **Printer redirection**: Disabled. The sandbox doesn't share printers with the host.
+- **Clipboard redirection**: Enabled. The sandbox shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+
+> [!IMPORTANT]
+>
+> - Networking is enabled by default. This can expose untrusted applications to the internal network. To launch a Sandbox with networking disabled, use a custom .wsb file.
+> - With Clipboard redirection automatically enabled, you can easily copy files from the host and paste them into the Windows Sandbox window.
+
+You have the freedom to open files, install applications from the web, and perform various other tasks that benefit from an isolated clean environment.
+
+When you're finished experimenting, close the sandbox. A dialog box prompts you to confirm the deletion of all sandbox content. Select **Ok** to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
+
+## Configure a custom Windows Sandbox
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension.
@@ -14,7 +35,7 @@ A configuration file enables the user to control the following aspects of Window
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data.
-- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Logon command**: A command to execute when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox.
@@ -25,7 +46,7 @@ A configuration file enables the user to control the following aspects of Window
> [!NOTE]
> The size of the sandbox window currently isn't configurable.
-## Creating a configuration file
+## Create a configuration file
To create a configuration file:
@@ -37,10 +58,8 @@ To create a configuration file:
```
-3. Add appropriate configuration text between the two lines. For details, see [examples](#examples).
-4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
-
-## Using a configuration file
+3. Add appropriate configuration text between the two lines. For details, see [examples](windows-sandbox-sample-configuration.md).
+4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"MyConfigFile.wsb"`.
To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
@@ -48,19 +67,21 @@ To use a configuration file, double-click it to start Windows Sandbox according
C:\Temp> MyConfigFile.wsb
```
-## Keywords, values, and limits
+## Configuration options
### vGPU
Enables or disables GPU sharing.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables vGPU support in the sandbox.
-- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
-- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
+- **Enable**: Enables vGPU support in the sandbox.
+- **Disable**: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
+- **Default**: This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
@@ -69,20 +90,24 @@ Supported values:
Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables networking in the sandbox.
-- *Disable*: Disables networking in the sandbox.
-- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+- **Enable**: Enables networking in the sandbox.
+- **Disable**: Disables networking in the sandbox.
+- **Default**: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
### Mapped folders
-An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop.
+An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported.
+
+When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). Beginning in Windows 11, version 23H2, you can use environment variables in the path.
```xml
@@ -97,12 +122,12 @@ An array of folders, each representing a location on the host machine that is sh
```
-- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
-- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop.
-- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
+- **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
+- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container user's desktop. The default user of Sandbox is `WDAGUtilityAccount`.
+- **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE]
-> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
+> Files and folders mapped from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed.
### Logon command
@@ -114,22 +139,24 @@ Specifies a single command that will be invoked automatically after the sandbox
```
-*Command*: A path to an executable or script inside the container that will be executed after signing in.
+**Command**: A path to an executable or script inside the container that will be executed after signing in.
> [!NOTE]
-> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
+> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via ``.
### Audio input
Enables or disables audio input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability.
-- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
-- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
+- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone might require this capability.
+- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone might not function properly with this setting.
+- **Default**: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
@@ -138,30 +165,32 @@ Supported values:
Enables or disables video input to the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables video input in the sandbox.
-- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
-- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
+- **Enable**: Enables video input in the sandbox.
+- **Disable**: Disables video input in the sandbox. Applications that use video input might not function properly in the sandbox.
+- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input might not function properly in the sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
### Protected client
-When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment.
+When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment. AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation.
-
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
-- *Disable*: Runs the Sandbox in the standard mode without extra security mitigations.
-- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
+- **Enable**: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation.
+- **Disable**: Runs the Sandbox in the standard mode without extra security mitigations.
+- **Default**: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
@@ -170,135 +199,36 @@ Supported values:
Enables or disables printer sharing from the host into the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of host printers into the sandbox.
-- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
-- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
+- **Enable**: Enables sharing of host printers into the sandbox.
+- **Disable**: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
+- **Default**: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
### Clipboard redirection
Enables or disables sharing of the host clipboard with the sandbox.
-`value`
+```xml
+value
+```
Supported values:
-- *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
-- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
+- **Enable**: Enables sharing of the host clipboard with the sandbox.
+- **Disable**: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
+- **Default**: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
Specifies the amount of memory that the sandbox can use in megabytes (MB).
-`value`
-
-If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount.
-
-## Examples
-
-### Example 1
-
-The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
-
-#### Downloads.wsb
-
```xml
-
- Disable
- Disable
-
-
- C:\Users\Public\Downloads
- C:\Users\WDAGUtilityAccount\Downloads
- true
-
-
-
- explorer.exe C:\users\WDAGUtilityAccount\Downloads
-
-
+value
```
-### Example 2
-
-The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
-
-Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
-
-With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
-
-#### VSCodeInstall.cmd
-
-Downloads VS Code to `downloads` folder and runs installation from `downloads` folder.
-
-```batch
-REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
-
-REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
-```
-
-#### VSCode.wsb
-
-```xml
-
-
-
- C:\SandboxScripts
- C:\Users\WDAGUtilityAccount\Downloads\sandbox
- true
-
-
- C:\CodingProjects
- C:\Users\WDAGUtilityAccount\Documents\Projects
- false
-
-
-
- C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd
-
-
-```
-
-### Example 3
-
-The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
-
-`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
-
-#### SwapMouse.ps1
-
-Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
-
-```powershell
-[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
-
-$SwapButtons = Add-Type -MemberDefinition @'
-[DllImport("user32.dll")]
-public static extern bool SwapMouseButton(bool swap);
-'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
-
-$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
-```
-
-### SwapMouse.wsb
-
-```xml
-
-
-
- C:\sandbox
- C:\sandbox
- True
-
-
-
- powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
-
-
-```
+If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount of 2048 MB.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
new file mode 100644
index 0000000000..ca1408a957
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml
@@ -0,0 +1,107 @@
+### YamlMime:FAQ
+metadata:
+ title: Windows Sandbox frequently asked questions (FAQ)
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows Sandbox.
+ author: vinaypamnani-msft
+ ms.author: vinpa
+ ms.topic: faq
+ ms.date: 10/23/2024
+
+title: Common questions about Windows Sandbox
+summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Sandbox.
+
+sections:
+
+ - name: Concepts
+ questions:
+
+ - question: Who can use WSB?
+ answer: |
+ WSB can be used in various scenarios by anyone without any technical skills. Here are some ways in which you can use WSB:
+
+ - **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+ - **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+ - **Running Untrusted Applications**: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB.
+ - **Test software features risk-free**: Easily test out software without the need for installing or uninstalling on your host machine.
+ - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments.
+ - **Privacy Protection**: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques.
+
+ - question: What's the difference between a Hyper-V virtual machine (VM) and Windows Sandbox?
+ answer: |
+ 1. **Lightweight and Temporary**:
+ - Windows Sandbox: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system.
+ - Hyper-V VMs: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up.
+ 1. **Security Isolation**:
+ - Windows Sandbox: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it.
+ - Hyper-V VMs: While VMs also offer isolation, they persistently store changes unless you revert them manually.
+ 1. **Resource Efficiency**:
+ - Windows Sandbox: More resource efficient than a full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files.
+ - Hyper-V VMs: VMs have fixed resource allocations, which can impact overall system performance.
+ 1. **Ease of Use**:
+ - Windows Sandbox: Simple to use—just open it, test your software, and close it. No complex setup or management.
+ - Hyper-V VMs: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots.
+
+ - question: What applications aren't supported inside a Windows Sandbox?
+ answer: |
+ Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' aren't supported.
+ While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps.
+
+ - name: Usage
+ questions:
+
+ - question: Why can I not change certain settings using a config file?
+ answer: |
+ You can't make changes to properties if they're controlled by Group Policy. Contact your IT Administrator for more details.
+
+ - question: How do I open multiple Sandbox instances?
+ answer: |
+ Today, Windows Sandbox only allows users to launch one Sandbox instance at a time.
+
+ - question: Installing the latest version of Windows Sandbox fails. How do I fix this?
+ answer: |
+ Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the update is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install.
+
+
+ - question: How do I know which version of Windows Sandbox am I running?
+ answer: |
+ Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you're running an older version of Windows Sandbox. If it returns a version number, you're running the newer version.
+ Alternatively, you can run `wsb --version`. If `wsb` is not available, you're running an older version of Windows Sandbox.
+ The new version of Windows Sandbox also appears in Windows Settings under **System** > **System components**.
+
+ - question: How do I save the Sandbox state?
+ answer: |
+ Windows Sandbox is temporary; closing it deletes all software, files, and state.
+
+ - question: How can I open Windows Sandbox with a different OS version?
+ answer: |
+ Windows Sandbox only allows you to use the same build as your host OS. This allows us to keep Windows Sandbox 'lightweight'.
+
+ - question: How do I uninstall Windows Sandbox?
+ answer: |
+ To remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK.
+
+ - name: Feedback
+ questions:
+
+ - question: Where can I provide feedback?
+ answer: |
+ You can file a bug in Feedback Hub by:
+
+ 1. Open the Feedback Hub app.
+ 1. Select **Report a problem** or **Suggest a feature**.
+ 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes:
+ - Short and descriptive issue title.
+ - Windows version and build number, which can be gathered from a command prompt using the `cmd.exe --version` command.
+ - Device information (including CPU type, memory, disk etc.)
+ - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text can't be captured.
+ - Behavior you were expecting.
+ 1. Select an appropriate category and subcategory by using the dropdown menus. There's a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It's located under **Security and Privacy** category.
+ 1. Select **Next**.
+ 1. If you are able to reproduce the issue, please collect traces as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**.
+ 1. Attach any relevant screenshots or files for the problem, then select **Submit**.
+
+ Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to:
+
+ - **Search existing issues** to see if there are any associated with a problem that you're having. In the search bar, you can remove "is:open" to include resolved issues in your search. Consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority.
+ - **File a new issue**: If you have found a problem with WSB or WSB documentation and there doesn't appear to be an existing issue, you can select the green **New issue** button and then choose **WSB - Bug Report**. Provide a title for the issue, your Windows build number, whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate.
+ - **File a feature request** by selecting the green **New issue** button and then select **Feature request**, then answer the questions describing your request.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
new file mode 100644
index 0000000000..32b1aee636
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md
@@ -0,0 +1,59 @@
+---
+title: Install Windows Sandbox
+description: Install Windows Sandbox
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Install Windows Sandbox
+
+## Prerequisites
+
+- Arm64 (for Windows 11, version 22H2 and later) or AMD64 architecture
+- Virtualization capabilities enabled in BIOS
+- At least 4 GB of RAM (8 GB recommended)
+- At least 1 GB of free disk space (SSD recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Beginning in Windows 11, version 24H2, inbox store apps like Calculator, Photos, Notepad and Terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
+
+## Installation
+
+1. Ensure that your machine is using Windows 11 or Windows 10, version 1903 or later.
+
+2. Enable virtualization on the machine.
+
+ - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
+ - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
+
+ ```powershell
+ Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
+ Update-VMVersion -VMName
+ ```
+
+3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+
+ If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
+
+ > [!NOTE]
+ > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
+ >
+ > ```powershell
+ > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
+ > ```
+
+4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
+
+ > [!NOTE]
+ > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system.
+ >
+ > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-sample-configuration.md#example-3---mapping-folders-and-running-a-powershell-script-as-a-logon-command).
+
+## Try WSB preview features by joining the Windows Insider Program
+
+To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). After joining the Windows Insiders Program, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from:
+
+- **Dev channel**: Most recent updates, but low stability.
+- **Beta channel**: Ideal for early adopters, more reliable builds than the Dev channel.
+- **Release Preview channel**: Preview fixes and key features on the next version of Windows just before its available to the general public.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
deleted file mode 100644
index 8d8f873a38..0000000000
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Windows Sandbox
-description: Windows Sandbox overview
-ms.topic: conceptual
-ms.date: 03/26/2024
----
-
-# Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
-
-A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
-
-Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
-
-Windows Sandbox has the following properties:
-
-- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD).
-- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
-- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
-- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
-- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
-
-> [!IMPORTANT]
-> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
-
-## Prerequisites
-
-- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
-- Virtualization capabilities enabled in BIOS
-- At least 4 GB of RAM (8 GB recommended)
-- At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyper-threading recommended)
-
-> [!NOTE]
-> Windows Sandbox is currently not supported on Windows Home edition.
-> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon.
-## Installation
-
-1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11.
-
-2. Enable virtualization on the machine.
-
- - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
-
- ```powershell
- Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
- Update-VMVersion -VMName
- ```
-
-3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
-
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
-
- > [!NOTE]
- > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
- >
- > ```powershell
- > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
- > ```
-
-4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
-
- > [!NOTE]
- > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
-
-## Usage
-
-1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
-2. Run the executable file or installer inside the sandbox.
-3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
-4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
new file mode 100644
index 0000000000..8d1a0ca697
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md
@@ -0,0 +1,112 @@
+---
+title: Windows Sandbox sample configuration files
+description: Windows Sandbox sample configuration files
+ms.topic: how-to
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox sample configuration files
+
+## Example 1 - Mapping Folders and testing an unknown downloaded file in a Sandbox
+
+The following config file can be used to easily test unknown downloaded files inside a sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the downloads folder from the host and is placed inside a 'temp' folder in the sandbox. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
+
+### Downloads.wsb
+
+```xml
+
+ Disable
+ Disable
+
+
+ C:\Users\Public\Downloads
+ C:\temp
+ true
+
+
+
+ explorer.exe C:\temp
+
+
+
+```
+
+## Example 2 - Installing Visual Studio Code at launch in a Sandbox
+
+The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
+
+Two folders are mapped into the sandbox; the first (`SandboxScripts`) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (`CodingProjects`) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
+
+With the Visual Studio Code installer script already mapped into the sandbox, the `` can reference it.
+
+### VSCodeInstall.cmd
+
+This batch file should be created in the `C:\SandboxScripts` directory on the host. It downloads VS Code to `temp` folder inside the sandbox and runs installation from `temp` folder.
+
+```batch
+REM Download Visual Studio Code
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\temp\vscode.exe
+
+REM Install and run Visual Studio Code
+C:\temp\vscode.exe /verysilent /suppressmsgboxes
+```
+
+### VSCode.wsb
+
+```xml
+
+
+
+ C:\SandboxScripts
+ C:\temp\sandbox
+ true
+
+
+ C:\CodingProjects
+ C:\temp\Projects
+ false
+
+
+
+ C:\temp\sandbox\VSCodeInstall.cmd
+
+
+```
+
+## Example 3 - Mapping Folders and running a PowerShell script as a Logon Command
+
+Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting.
+
+In this example, the `C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+
+
+
+ C:\sandbox
+ C:\sandbox
+ True
+
+
+
+ powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
+
+
+```
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
new file mode 100644
index 0000000000..a908b5875c
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md
@@ -0,0 +1,21 @@
+---
+title: Troubleshoot Windows Sandbox
+description: Troubleshoot Windows Sandbox
+ms.topic: troubleshooting
+ms.date: 09/09/2024
+---
+
+# Troubleshoot Windows Sandbox
+
+This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#where-can-i-provide-feedback)
+
+| Error | Possible Solution |
+|--|--|
+| `WININET_E_NAME_NOT_RESOLVED`
`WU_E_PT_ENDPOINT_UNREACHABLE` | Upgrade to Windows Sandbox app fails because user isn't connected to internet or network adapter is connected but no internet connection. Check your internet connection. |
+| `ERROR_FILE_NOT_FOUND` | `.wsb` config file provided by the user doesn't exist. Make sure that the path to the `.wsb` file is correct. |
+| `E_INVALIDARG` | The `.wsb` file provided by the user is invalid or has errors. Check the `.wsb` file. |
+| `REGDB_E_IIDNOTREG` | Verify if Windows Sandbox component is enabled under 'Turn Windows features on or off'. For more information, see [Install Windows Sandbox](windows-sandbox-install.md) |
+| `The following settings are enforced by your IT administrator.` | `.wsb` file has a setting enabled that is controlled via group policy. |
+| `No hypervisor was found. Please enable hypervisor support.` | Windows Sandbox only supports Hyper-V Hypervisor. Third-party hypervisors are not supported. Ensure that Hyper-V is enabled. |
+| `Cannot upgrade to the latest version of Windows Sandbox` | Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning with Windows 11, version 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually. |
+| `E_FAIL`, or `E_UNEXPECTED` or general failure during installation. | Possible causes:
- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin.
- Timeout error where we can't reach the Microsoft Store. Try again later. |
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
new file mode 100644
index 0000000000..42ffe331cc
--- /dev/null
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md
@@ -0,0 +1,32 @@
+---
+title: Windows Sandbox versions
+description: Windows Sandbox versions
+ms.topic: conceptual
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox versions
+
+Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is available from the Microsoft Store, featuring an improved user experience and new command line functionality.
+
+- **Faster Updates**: With the app now being updated through the Microsoft Store, you can install the bug fixes and new features as soon as they're available, rather than needing to wait for an update of the Windows operating system.
+- **Revamped UI**: The app now features WinUI 3, a modern and sleek user interface built on the Fluent design system.
+- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner without needing a preconfigured `.wsb` file.
+- **Command Line Preview**: An early version of [command line support](windows-sandbox-cli.md) for Windows Sandbox is now available.
+
+## Upgrading to the newer version
+
+### Prerequisites
+
+- Windows Sandbox must already be installed. If it isn't already installed, [install Windows Sandbox](windows-sandbox-install.md).
+- Device must be running Windows 11, version 24H2, with KB10D or later.
+- Internet access for Microsoft Store and Windows Update.
+
+### Upgrade
+
+- Launch **Windows Sandbox** from the Start menu.
+- If the app isn't upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes.
+- Once the installation is complete, you're directed to the updated version of the app.
+
+> [!NOTE]
+> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually.
\ No newline at end of file
diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md
index 8e2f55f747..d8d6385b3f 100644
--- a/windows/security/book/includes/windows-sandbox.md
+++ b/windows/security/book/includes/windows-sandbox.md
@@ -14,4 +14,4 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software
[!INCLUDE [learn-more](learn-more.md)]
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e0cd0064c8..eebfabaaa0 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -142,9 +142,10 @@
"✅ Windows Server 2019",
"✅ Windows Server 2016"
],
- "application-security/application-control/windows-defender-application-control/**/*.md": [
+ "application-security/application-control/app-control-for-business/**/*.md": [
"✅ Windows 11",
"✅ Windows 10",
+ "✅ Windows Server 2025",
"✅ Windows Server 2022",
"✅ Windows Server 2019",
"✅ Windows Server 2016"
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index 9a2ac25742..26e30724a9 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -47,7 +47,7 @@ sections:
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
+ When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/how-it-works#biometric-data-storage) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index bc28fecee5..305932af9b 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 06/11/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
index 9bc006a4e0..3d3f9622e0 100644
--- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@@ -2,7 +2,7 @@
title: Transition into a passwordless deployment
description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
ms.topic: concept-article
-ms.date: 10/29/2024
+ms.date: 01/30/2025
---
# Transition into a passwordless deployment
@@ -123,7 +123,7 @@ function Generate-RandomPassword{
$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force
-Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset
+Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset
```
If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 43817f6227..7b2cccd5ae 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -131,7 +131,7 @@ landingContent:
- text: Microsoft Defender Application Guard (MDAG)
url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- text: Windows Sandbox
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
+ url: /windows/security/application-security/application-isolation/windows-sandbox/
- linkListType: how-to-guide
links:
- text: Configure Windows Sandbox
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 2e2dc3b457..2bf77557b9 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,7 +1,7 @@
---
title: Windows Security Features Licensing And Edition Requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.topic: conceptual
+ms.topic: reference
ms.date: 12/02/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
index b0ff6c39b5..45ad55ad06 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
@@ -19,6 +19,8 @@ If this policy setting is disabled or not configured, the default recovery optio
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
+
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 03607ce506..2f0191609b 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -25,11 +25,11 @@ Unlike BitLocker that releases data encryption keys at boot, Personal Data Encry
To use Personal Data Encryption, the following prerequisites must be met:
- Windows 11, version 22H2 and later
-- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
+- The devices must be [Microsoft Entra joined][ENTRA-1] or [Microsoft Entra hybrid joined][ENTRA-2]. Domain-joined devices aren't supported
- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
> [!IMPORTANT]
-> If you sign in with a password or a [security key][AAD-2], you can't access Personal Data Encryption protected content.
+> If you sign in with a password or a [FIDO2 security key][ENTRA-3], you can't access Personal Data Encryption protected content.
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
@@ -111,5 +111,6 @@ Certain Windows applications support Personal Data Encryption out of the box. If
-[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
-[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+[ENTRA-1]: /entra/identity/devices/concept-directory-join
+[ENTRA-2]: /entra/identity/devices/concept-hybrid-join
+[ENTRA-3]: /entra/identity/authentication/howto-authentication-passwordless-security-key-windows#sign-in-with-fido2-security-key
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index 05f61ccf78..75939e36c9 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
+### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
+| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index ced5288d21..3556919a26 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- - Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
+ - Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- - Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
+ - Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index c2a7ae57a8..2fc0efca6e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index daf7f89f5d..9a4865a98c 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 539eeaeda6..26a2c22a06 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
-## Related topics
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
-- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 85b51dd4d1..53c870afc0 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 8fa4ab6725..9702c4afee 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
-At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section.
Server-side infrastructure requirements to support VPN device compliance include:
@@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com
- Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
-> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
-> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources.
+> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
@@ -71,7 +71,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client.
1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
1. If compliant, Microsoft Entra ID requests a short-lived certificate.
1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
@@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 7199978f6c..0c0b47c65c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
> [!div class="mx-imgBorder"]
> 
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 3233517baa..c1c9ac3826 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: overview
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 666f60d6c1..36074af74a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index aced17dd8e..02b7c5daff 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 01/27/2025
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 4fdbb86971..43f5802163 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: how-to
---
@@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create
- [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp)
- [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10))
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index e5f0bc3f68..6bbae9aa58 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 05/06/2024
+ms.date: 01/27/2025
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne
Once enabled, you can add the routes that should use the VPN connection.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index 0ca87d7370..2e53eeeae5 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 05/06/2024
+ms.date: 01/27/2025
ms.topic: concept-article
---
@@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
-
-## Related articles
-
-- [VPN technical guide](vpn-guide.md)
-- [VPN connection types](vpn-connection-type.md)
-- [VPN routing decisions](vpn-routing.md)
-- [VPN authentication options](vpn-authentication.md)
-- [VPN and conditional access](vpn-conditional-access.md)
-- [VPN name resolution](vpn-name-resolution.md)
-- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 68fce9d079..0409ddfbb3 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -25,7 +25,7 @@ See the following articles to learn more about the different areas of Windows th
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
-- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
+- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/index.md)
## Next-generation protection
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 568b781fc7..4b2f886e48 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 12/12/2024
+ms.date: 01/24/2025
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -57,7 +57,7 @@ The features in this article are no longer being actively developed, and might b
| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
-| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
+| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | December 2023 |
| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
**[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
index de53336b4b..306de5a2a9 100644
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 11/01/2023
+ms.date: 01/21/2025
ms.collection:
- highpri
- tier2
@@ -43,15 +43,17 @@ The following are frequently asked questions about the ESU program for Windows 1
### How much does ESU cost?
-Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+Extended Security Updates for Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines running in Windows 365 or Azure Virtual Desktop. Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
### Is there a minimum license purchase requirement for Windows 10 ESU?
-There are no minimum license purchase requirements for Windows 10 ESU.
+The minimum license purchase requirements for Windows 10 ESU is one license.
### Can ESUs be purchased for a specific duration?
-Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+The Extended Security Update Program for Windows 10 must be purchased by year. Customers can't buy partial periods, for instance, only six months. Year One starts in November 2025. If you decide to purchase the program in Year Two, you'll have to pay for Year One too, as ESUs are cumulative.
+
### When will the ESU offer be available for licensing?