Merge pull request #10277 from MicrosoftDocs/main

OOB  Windows 11 24H2 Published main to live, 7:00 AM

includes/licensing/windows-defender-application-control-wdac.md

@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 09/23/2024
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Windows Defender Application Control (WDAC):
+The following table lists the Windows editions that support App Control for Business:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Windows Defender Application Control (WDAC) license entitlements are granted by the following licenses:
+App Control license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|

windows/application-management/index.yml

@@ -9,7 +9,7 @@ metadata:
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 06/28/2024
+  ms.date: 09/27/2024
   ms.topic: landing-page
   ms.service: windows-client
   ms.subservice: itpro-apps

windows/application-management/per-user-services-in-windows.md

@@ -4,7 +4,7 @@ description: Learn about per-user services, how to change the template service s
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
-ms.date: 12/22/2023
+ms.date: 10/01/2024
 ms.topic: how-to
 ms.service: windows-client
 ms.subservice: itpro-apps
@@ -99,7 +99,7 @@ $services = Get-Service
 foreach ( $service in $services ) {
   # For each specific service, check if the service type property includes the 64 bit using the bitwise AND operator (-band).
   # If the result equals the flag value, then the service is a per-user service.
-  if ( ( $service.ServiceType -band $flag ) -eq $flag ) { 
+  if ( ( $service.ServiceType -band $flag ) -eq $flag ) {
     # When a per-user service is found, then add that service object to the results array.
     $serviceList += $service
   }
@@ -229,14 +229,14 @@ If you can't use group policy preferences to manage the per-user services, you c
 
 1. The following example includes multiple commands that disable the specified Windows services by changing their **Start** value in the Windows Registry to `4`:
 
-```cmd
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
-REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
-```
+    ```cmd
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
+    REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
+    ```
 
 #### Example 2: Use the Registry Editor user interface to edit the registry
 
@@ -248,7 +248,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
 
 1. Change the **Value data** to `4`.
 
-:::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
+    :::image type="content" source="media/regedit-change-service-startup-type.png" alt-text="Screenshot of the Registry Editor open to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPSvc and highlighting the Start value set to 4.":::
 
 #### Example 3: Prevent the creation of per-user services
 

windows/application-management/sideload-apps-in-windows.md

@@ -4,7 +4,7 @@ description: Learn how to sideload line-of-business (LOB) apps in Windows client
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
-ms.date: 12/22/2023
+ms.date: 09/27/2024
 ms.topic: how-to
 ms.service: windows-client
 ms.subservice: itpro-apps

windows/client-management/mdm/applicationcontrol-csp.md

@@ -11,9 +11,9 @@ ms.date: 01/31/2024
 
 <!-- ApplicationControl-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
+App Control for Business policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies) (introduced in Windows 10, version 1903). It also provides support for policy deployment (introduced in Windows 10, version 1709) without reboot. Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
 
-Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
+Existing App Control for Business policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although App Control policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
 <!-- ApplicationControl-Editable-End -->
 
 <!-- ApplicationControl-Tree-Begin -->
@@ -861,7 +861,7 @@ The following table provides the result of this policy based on different values
 
 ## Microsoft Intune Usage Guidance
 
-For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
+For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy App Control for Business policies by using Microsoft Intune](/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune).
 
 ## Generic MDM Server Usage Guidance
 
@@ -1014,7 +1014,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
 
 ### Setup for using the WMI Bridge
 
-1. Convert your WDAC policy to Base64.
+1. Convert your App Control policy to Base64.
 2. Open PowerShell in Local System context (through PSExec or something similar).
 3. Use WMI Interface:
 

windows/client-management/mdm/policy-csp-admx-deviceguard.md

@@ -14,7 +14,7 @@ ms.date: 09/27/2024
 <!-- ADMX_DeviceGuard-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!WARNING]
-> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+> Group Policy-based deployment of App Control for Business policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
 <!-- ADMX_DeviceGuard-Editable-End -->
 
 <!-- ConfigCIPolicy-Begin -->

windows/deployment/update/fod-and-lang-packs.md

@@ -13,7 +13,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
 - ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
-ms.date: 04/22/2024
+ms.date: 10/01/2024
 ---
 
 # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
@@ -31,11 +31,13 @@ Due to these changes, the **Specify settings for optional component installation
 
 The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content. 
 
-Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content.  
+Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. This policy was modified starting in Windows 11, version 24H2 and the following options were removed:<!--8914508-->
+- Never attempt to download payload from Windows Update
+- Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
 
 ## Version specific information for Features on Demand and language packs
 
-Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP.
+Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options.<!--8914508--> 
 
 For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either:
 - Change the source selection for feature and quality updates to Windows Update 

windows/deployment/windows-enterprise-e3-overview.md

@@ -105,7 +105,6 @@ For more information about implementing Credential Guard, see the following reso
 - [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
 - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 
-
 ### AppLocker management
 
 AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.

windows/hub/index.yml

@@ -15,7 +15,7 @@ metadata:
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 08/27/2024
+  ms.date: 10/01/2024
 
 highlightedContent:
 # itemType: architecture | concept | deploy | download | get-started | how-to-guide | training | overview | quickstart | reference | sample | tutorial | video | whats-new
@@ -25,13 +25,13 @@ highlightedContent:
     itemType: get-started
     url: /windows/whats-new/windows-11-overview
 
-  - title: Windows 11, version 23H2
+  - title: Windows 11, version 24H2
     itemType: whats-new
-    url: /windows/whats-new/whats-new-windows-11-version-23h2
+    url: /windows/whats-new/whats-new-windows-11-version-24h2
 
-  - title: Windows 11, version 23H2 group policy settings reference
+  - title: Windows 11, version 24H2 group policy settings reference
     itemType: download
-    url: https://www.microsoft.com/download/details.aspx?id=105668
+    url: https://www.microsoft.com/download/details.aspx?id=106255
 
   - title: Windows administrative tools
     itemType: concept
@@ -73,7 +73,7 @@ conceptualContent:
 
     - title: Privacy in Windows
       links:
-      - url: /windows/privacy/required-diagnostic-events-fields-windows-11-22h2
+      - url: /windows/privacy/required-diagnostic-events-fields-windows-11-24h2
         itemType: reference
         text: Windows 11 required diagnostic data
       - url: /windows/privacy/configure-windows-diagnostic-data-in-your-organization