Since launching in 2021, Windows 365 has simplified secured, remote access to desktops by introducing the Cloud PC, a persistent Windows experience streamed from the Microsoft Cloud to any device anywhere. Today, we’re taking the next step to modernize shared devices and task-based workflows, making it easier for IT teams to support diverse environments while improving end-user productivity. The introduction of Windows 365 Frontline brought Cloud PCs to employees who only needed part-time or occasional access to Windows desktops, offering cost-effective and scalable cloud computing to new types of users without adding complexity. Now, we’re excited to announce powerful functionality that extends the reach of Windows 365 Frontline even further - with options to scale the service to an entire workforce. Windows 365 Cloud Apps, now generally available, uses Windows 365 Frontline in shared mode to provide users with access to individual applications, without requiring each user to have their own dedicated Cloud PC. Alongside Cloud Apps, we are launching key technical enhancements to simplify rollout and adoption, including User Experience Sync, which is now generally available, and Windows Autopilot Device Preparation profile, in public preview. User Experience Sync enables app settings and accessibility preferences to persist across sessions, delivering a personalized experience for users even in shared environments. For IT admins, Windows Autopilot Device Preparation profile simplifies provisioning by pre-installing critical apps as needed, without maintaining complex images.   Together, these capabilities in Windows 365 make it easy for IT to deploy both apps and desktops, giving users the productivity they expect from first launch — whether they need a 24/7 desktop, part-time desktop access, or even occasional access to an individual application.  Let’s take a deeper look at these capabilities and how they transform the Windows 365 experience: Just the essentials — Windows 365 Cloud Apps for task-based workflows Windows App launching Windows 365 Cloud Apps Now your workforce can quickly perform tasks by accessing the business applications they need right from the Windows App. This also delivers simplified management through Microsoft Intune, reduced infrastructure complexity, and faster deployment — all while maintaining enterprise-grade security and compliance. Windows 365 Cloud Apps are especially useful for organizations wanting to modernize legacy virtual desktop infrastructure (VDI) environments, where existing solutions can be challenging to scale and complex to manage, leading to outages, misconfigurations, or security gaps. Migrating published VDI apps to the Windows 365 service offers the advantages of Cloud PC manageability and experience, with cost-effective pricing. To learn more about Windows 365 Cloud Apps, visit Windows 365 Cloud Apps Apply a consistent experience to shared Cloud PC scenarios Shared workstations often sacrifice personalization for cost savings. With User Experience Sync, Windows 365 Frontline in shared mode delivers a consistent experience every time, reducing frustration and improving productivity for users in shared environments. It ensures that applications which save user settings or application data persist that info across sessions, and maintains other aspects of the Windows experience, such as accessibility options. We’re also investing in faster sign-in experiences across Windows 365 Frontline modes (dedicated and shared) to help users get productive from the first click, so workflows start seamlessly without delays. Screenshot of User Experience Sync admin configuration Managing cloud storage with User Experience Sync As a key component of our service offering, User Experience Sync is included at no additional cost in Windows 365 Frontline. Storage for user settings data is built in and determined by the size of the OS disk in the Cloud PC configuration. For example, Cloud PCs with a 128GB OS disk will have an additional 128GB of storage available, dedicated to User Experience Sync. This space is pooled across users, with larger disks providing greater storage capacity. IT admins can set user storage limits to match differing scenarios, monitor usage through Intune, and configure alerts when storage runs low. This storage is created during a user’s Cloud PC or app first-run experience, offering flexibility without limiting the number of assigned users. To learn more about User Experience Sync, visit User Experience Sync configuration. Screenshot of a provisioning policy, with a graph showing available and used user storage Autopilot app installs bring productivity from first use Time-to-productivity is critical for organizations of all types and sizes. Ensuring that workers have access to the applications that they need right away leads to improved employee satisfaction, enhanced security, and increased productivity. With Autopilot Device Preparation profile capabilities, IT admins can use Microsoft-provided images for Windows 365, then target an app or set of apps for automatic deployment, ensuring they are pre-installed before a user ever signs in. This reduces IT overhead and complexity, while delivering a meaningful first run experience. This is a notable improvement compared to traditional VDI, where admins often spend considerable effort maintaining sets of custom or “golden” images — and represents significant time savings for IT admins managing Windows 365. This public preview feature has now been expanded to include support for Windows 365 Enterprise and all Windows 365 Frontline Cloud PC configurations, including Windows 365 Cloud Apps. This means that IT admins can also easily deploy applications through Intune as Windows 365 Cloud Apps without taking on the complexities associated with custom image management. Get started with Windows 365 Frontline and Windows 365 Cloud Apps today With powerful new features such as Windows 365 Cloud Apps, User Experience Sync, and Autopilot Device Preparation profiles at your fingertips, there’s never been a better time to move to Windows 365. These innovations simplify deployment, reduce IT overhead, and empower your workforce with secure, flexible access to the apps and desktops it needs. To get started: * Deploy Windows 365 Cloud Apps in a Windows 365 Frontline environment to deliver task-based access to applications without dedicated Cloud PCs. * Enable User Experience Sync with Windows 365 Frontline in shared mode to give users a consistent experience across sessions. * Use Autopilot device preparation profiles to pre-install critical apps and accelerate first-use productivity for users. Start implementing these capabilities today to deliver a modern and scalable desktop or app virtualization environment. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Today at Ignite, we’re announcing new Windows recovery capabilities designed to help IT admins respond quickly — whether it’s restoring a single PC that’s misbehaving or recovering large sets of devices during a widespread outage. Device recovery scenarios vary, and customers need different tools for different situations. That’s why we’re providing a range of solutions, all managed through a familiar, centralized platform. Microsoft Intune brings these capabilities together, and other modern device management vendors can integrate similar functionality if they choose. In this blog post, we are covering the tools that are available to you this week. Stay tuned for future blog posts that will deep dive into other capabilities. Quickly recover Windows devices during a widespread outage Large outages affecting millions of devices are rare but frustrating when they can only be remediated by an in-person action. These devices are usually stuck on WinRE. That is when quick machine recovery (QMR) comes into play. QMR is a Windows capability that automatically detects, diagnoses, and remediates boot critical issues from WinRE, helping restore productivity without requiring hands on, in-person intervention. QMR is generally available and enabled by default on Windows Home and will be soon enabled on Pro devices that are not managed by IT. It requires Windows 11 24H2 or 25H2. On managed Windows Pro and Enterprise devices, QMR needs to be enabled by IT policy, and soon can be enabled just-in-time by Autopatch management. We are introducing the preview of QMR management in Windows Autopatch. Autopatch empowers IT administrators with comprehensive control over the deployment of QMR updates, including approvals, scheduling, alerting, and reporting. To discover more details, visit the Ignite Autopatch blog post and attend the Ignite breakout session BRK345: Resilient by design: How Windows has evolved with new recovery tools for a demo. Restore Windows devices to a previous state in minutes A device disruption doesn’t have to be widespread — it can strike any device at any time and cost organizations valuable time and productivity. That’s why we’re excited to introduce point-in-time restore for Windows, a new recovery capability that enables devices to be rolled back to a previous state within minutes. This feature is designed to help minimize downtime and simplify remediation, without the need for technical expertise or lengthy troubleshooting. A public preview of this feature will be available this week for Windows Insiders. Point-in-time restore will help IT admins (remotely) or end users (locally) restore a PC to a previous state from restore points stored on the device. This feature can be used to help customers recover from both widespread and one-off issues. When a device or group of devices has been suddenly impacted, point-in-time restore provides a fast way to return to productivity without waiting for a targeted fix. Point-in-time restore aims to address the need for: * Flexibility, as a restore can help resolve both isolated and widespread incidents * Fast and simple recovery in minutes without advanced troubleshooting needed. * Built‑in reliability and predictability, including recurring capture of restore points, a short restore point retention period, and disk space limits * Comprehensive rollback of the entire system to a previous state, including OS, apps, settings, configurations, and local files How is this different from System Restore? Organizations may be wondering how this capability differs from System Restore. While both point-in-time restore and system restore use Volume Shadow Copy Service and are designed to restore the system to a previous state, there are important differences: Point-in-time restore System Restore Restore points Automatic, configurable cadence. User files are included in restore point. Event-triggered or manual only. User files are excluded from restore point. Reliability Strict retention and cleanup policies No retention limits User experience Integrated in system settings Limited to control panel Fundamental impact Designed to minimize storage impact Higher impact to storage space Management Will support robust remote management capabilities Limited remote management capabilities How does this feature in Windows 11 compare to point-in-time restore for Windows 365? Both point-in-time restore for Windows and point-in-time restore for Windows 365 are designed to help organizations recover quickly from system failures, flawed updates, or user errors. While these features share the same core goal of minimizing downtime and restoring productivity during disruptions, their implementations differ due to architectural differences and design choices unique to each environment. Below are the key differences that IT administrators should be aware of when evaluating or deploying point-in-time restore across environments:   Windows client Windows 365 Feature enablement Can be enabled or disabled Always on Restore point retention Up to 72 hours Up to 1 month Restore point types Short-term only Short-term, long term, and manual Restore point sharing No sharing, restore points remain local Support sharing across Windows 365 and Azure Cloud Restore speed Likely faster due to local storage of restore point Speed is affected by network latency and bulk vs. single restores Storage constraints Bound by physical disk limits Scalable, cloud storage Limitations and risks for Windows client As with any recovery solution, it is important to be aware of some limitations and risks. * Data loss: point-in-time restore is a comprehensive recovery solution that reverts the entire system — including user files, applications, settings, passwords, secrets, certificates, and keys — to the selected restore point. Any changes made after the restore point will be lost. Data stored in cloud services such as OneDrive is not affected. * Storage constraints: restore points are stored locally and require sufficient disk space to be maintained. If available disk space becomes limited, the oldest restore points will be deleted automatically to free up space. To complete a restore, the device must have at least as much free space as the total size of all restore points on the system. * Restore points are retained for a maximum of 72 hours and are deleted after this period. * There is no guarantee that a rollback will always result in a bootable or fully functional system, as certain system states or updates may impact reliability. What will be available in the preview this week? Starting this week Windows Insiders in the Beta and Dev Channels can test point-in-time restore by installing the latest Insider Preview build for Windows 11.  Point-in-time restore settings page in System > Recovery Devices running Home, Pro or Enterprise editions of Windows will have access to view all configurations, however, only administrators will have the ability to configure the feature.  Configurations are available in Windows 11 System Settings and are outlined below: Configuration Default (preview) Options Feature On/Off On* On, Off Restore point frequency Every 24 hours 4, 6, 12, 16, 24 hours Restore point retention 72 hours 6, 12, 16, 24, 72 hours Maximum usage limit 2% of disk Percent of disk (min 2GB, max 50GB equivalent) *Only devices with a total disk size of 200GB or greater will have the feature on by default. Devices with disk sizes below 200GB can still configure the feature to be on if desired. For preview, a restore can only be triggered locally by the end user when the device is in WinRE only (remote management of this feature and triggering a restore from full Windows is not included in the preview). Point-in-time restore shown in the Troubleshoot menu for WinRE The steps to perform a point-in-time restore are below: * In WinRE select Troubleshoot > Point-in-time restore * Enter BitLocker recovery key . * Select a restore point to restore PC to the exact state it was at the time of the restore point. * Review and acknowledge the risks and limitations associated with this feature by selecting Continue. * Review the restore point selection, OS version, and warning of data loss, and select Restore to start the restore process. File your feedback via the Feedback Hub (under Recovery and Uninstall > Point-in-time restore) to help us refine and optimize this feature. Next steps Stay tuned for future enhancements as we continue to strengthen Windows resilience and support IT admins in maintaining seamless business operations. Point-in-time restore and quick machine recovery (QMR) with Autopatch are available this week — start testing both to help build your own recovery framework. Additional tools will become available in the first half of 2026. Attend the Ignite breakout session Resilient by design: How Windows has evolved with new recovery tools (BRK345) for more details and demos. The session will be recorded, so you can stream it on demand. To learn more about the Windows Resiliency Initiative, see the Windows Resiliency e-book . Disclaimer: This blog post is for informational purposes only and outlines Microsoft’s current product direction and plans. Product availability, licensing terms and capabilities may vary by region and are subject to change. All third-party trademarks are the property of their respective owners. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

The evolving threat landscape for virtualization The rapid adoption of cloud-based virtualization has transformed how organizations deliver secure, scalable workspaces. This shift has also expanded the attack surface for cybercriminals. Recent market intelligence highlights that endpoint malware like infostealers, keyloggers, screen scrapers, and ransomware continue to target user devices. This includes personal devices like those used for Bring Your Own Device (BYOD) strategies, as those unmanaged devices may be less secure and thus an easier target. Harvesting sensitive data at the endpoint device has become a top method for attackers using tools like Infostealer malware, which has become a leading threat that is used to steal sensitive data from both managed and unmanaged devices. [1] Attackers are increasingly targeting personal devices that access corporate resources, exploiting gaps in endpoint security. Shifting the trust boundary to the endpoint For organizations embracing a remote workforce, endpoint protection is no longer optional — it’s essential. While virtualization solutions secure the cloud and network layers, they cannot fully shield against threats originating on user devices.  * Malware risk: Keyloggers and screen scrapers on unmanaged endpoints can capture sensitive data before it reaches the cloud. * BYOD exposure: Personal devices often lack enterprise-grade security, creating compliance and data loss risks. * Detection delays: Endpoint breaches can go unnoticed for months, giving attackers time to harvest credentials and compromise sessions. Customers need assurance that every device connected to a cloud service meets security posture requirements. Enforcing keyboard input protection on the endpoint and verification checks from the cloud side — within the virtualized environment — offers end to end protection and closes these gaps and ensures safety guardrails are always applied, regardless of device type. This is critical for safeguarding sensitive data and maintaining compliance in a distributed workforce.  Introducing Windows Cloud Keyboard Input Protection We are excited to announce Windows Cloud I/O Protection capabilities, to help protect Windows 365 Cloud PC and Azure Virtual Desktop VM endpoints from malware and other risks stemming from inputs or displays. The first of these new capabilities is Windows Cloud Keyboard Input Protection, now in public preview, purpose-built to address endpoint security concerns for Windows 365 and Azure Virtual Desktop. It establishes a secure communication channel that begins at the endpoint device’s kernel and extends to Windows 365 Cloud PCs or Azure Virtual Desktop session host or virtual machines (VMs). Windows Cloud Keyboard Input Protection solution ensures the confidentiality and integrity of sensitive input data by encrypting user keystrokes at the kernel level and decrypting them exclusively within the remote virtual environment. As a result, unauthorized interception or manipulation of input is effectively prevented throughout the entire path—from the moment the user types until the data reaches the Cloud PC.  Solution components include: * Kernel-level encryption: A software kernel driver and system-level encryption service work together to route all keyboard inputs directly from the physical device to the Cloud PC or Azure Virtual Desktop VM’s in encrypted format. This prevents interception by OS-level malware, including keyloggers and screen scrapers. * VM-side decryption: Only the remote Cloud PC or VM can decrypt the keystrokes, ensuring that sensitive data never appears in clear text on the endpoint device. * Seamless user experience: The protection is transparent to users and IT admins, maintaining productivity while enforcing robust security without performance impact. Activating Windows Cloud Keyboard Input Protection Security IT admins can enable Windows Cloud Keyboard Input Protection using Group Policy in an Active Directory domain by opening the Group Policy Management console, navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > Enable Keyboard Input Protection, and enabling it as shown below. IT admins can easily enable keyboard input protection for Windows 365 or Azure Virtual Desktop. After the feature is enabled, the end user with admin privileges will need to install Windows Cloud IO Protect endpoint enablement package (WCIO Protect.msi) on their physical device. This feature is supported in: * Windows Azure Virtual Desktop VMs with the latest Microsoft supported Windows Client OS versions. * Supported endpoint device OS: * Supported: Windows 11 physical devices running supported Windows App (Version should be 2.0.704.0 or newer) with Windows Cloud IO Protect msi installed on them To learn more about setting up Windows Cloud Keyboard Input Protection, visit our Learn page. How Windows Cloud Keyboard Input Protection helps With the proliferation of endpoint threats and the rise of remote work, organizations need more than just cloud security — they need endpoint-to-cloud protection. Windows Cloud IO Keyboard Input Protection delivers: * Compliance assurance: By preventing unauthorized data capture at the endpoint, organizations can better meet regulatory requirements for data protection and privacy. * Reduced breach risk: Utilizing secure communication channels from the end point kernel to the remote VM dramatically lowers the risk of credential theft and data exfiltration from resident threats. * Future-ready security: As attackers evolve, Microsoft’s approach — combining kernel-level protection, device compliance, and cloud integration — sets a new standard for secure desktop delivery. Next steps Windows Cloud Keyboard Input Protection will be rolling out to organizations using Windows 365 and Azure Virtual Desktop in the coming weeks. To learn more about this feature, and other security capabilities within Windows Cloud, please visit our resources: * Windows 365 Learn doc on Win Cloud IO Protection * For an overview of Windows 365 Security concepts, visit https://aka.ms/w365security * To see more about our Ignite announcements around Windows 365 and Azure Virtual Desktop, see our Windows blog * To see our security announcements bringing B2B and external identity support for Windows 365 and Azure Virtual Desktop, visit this blog * To learn more about the security risks and mitigations for BYOD, and how Windows 365 can help, visit https://aka.ms/w365byodebook * The 2025 Verizon Data Breach Investigations Report found that 30% of compromised systems were enterprise-licensed, while 46% were non-managed endpoints, often due to BYOD policies. ↑ --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

With Windows 365 and Azure Virtual Desktop, organizations have been able to offer Windows delivered from the cloud to users to be productive, connect to IT resources, and to securely sign in across devices. Previously, you could only do so for member users, with accounts and credentials that are fully managed in your organization. With our latest updates, you can provide access to users who are outside your organization by simply inviting them into your organization, without having to create and assign brand new, temporary accounts. We’re excited to announce: * Connecting to Windows 365 and Azure Virtual Desktop with an external identity is now generally available * Using FSLogix as a user profile management solution for external identities with Azure Virtual Desktop is now in public preview What external identity support means With support for external identities in Windows 365 and Azure Virtual Desktop, you can standardize your approach to virtualization for users that are either internal or external to your organization. External identities may include roles like contractors or third-party vendors. You can also leverage other Microsoft Entra investments for external identities: * Enforce conditional access (CA) controls specific to external identities * Enforce multi-factor authentication (MFA) registration for the external identity in your tenant * Enforce Global Secure Access (GSA) configuration on the Windows machine the external identity will be using to access your resources. Note: Because external identities are cloud-only users and do not have a representation in Windows Server Active Directory, Kerberos authentication can’t be used. In the screenshot above, you can see that Cameron Baker is originally from the Fabrikam (fabrikam.com) organization, but is seeing resources that the Contoso (windows365-demo.microsoft.com) organization has assigned to them as an external identity. Assign a resource to external identities (generally available) The admin flow for provisioning a Windows 365 Cloud PC or assigning Azure Virtual Desktop resources to an external identity is nearly identical to doing so for a member user in your tenant. The steps for assigning an external identity include: * Assigning the user the appropriate licenses. * Assigning the user to an Entra user group. * Assign the Entra user group to the Cloud PC provisioning policy or Azure Virtual Desktop application group. a.   Note: For Azure Virtual Desktop, make sure you also assign the Virtual Machine User Login Azure role-based access control (RBAC) role to the external identity on any Azure Virtual Machine (VM) they may sign in to. After completing these steps, the user can access their assigned resources, just like other assigned users in your organization. For your Windows 365 or Azure Virtual Desktop environment, make sure to consider the following: * You must configure Microsoft Entra single sign-on for the user’s connection. * The Cloud PC or Azure Virtual Desktop session host must be Entra joined. * The Cloud PC or Azure Virtual Desktop session host must be running Windows 11, version 24H2 or later with the 2025-09 Cumulative Updates for Windows 11 (KB5065789) or later installed. Configure FSLogix on Azure Files for external identities (public preview) To provide a streamlined experience in an Azure Virtual Desktop pooled environment for external identities, you can create a file share in Azure Files to store the FSLogix profiles for these identities. This capability is now in public preview. To create an SMB file share for FSLogix profiles for external identities: * Create a new storage account and file share configured to use Microsoft Entra Kerberos authentication. * (New) When assigning permissions for the file share, use the new Manage access page to assign ACLs to the Entra ID group containing your external identities. In the screenshot above, you can see the Manage access page, where each row is an individual permission added to the SMB file share. In this example, WCX-External-Identities is the Entra group containing the external identities, and they have been assigned permissions in the file share which will be used to create and access each external identity user’s FSLogix profile container. * Configure FSLogix in your session hosts to use this Azure File share. Once configured, the external identities can sign in to the Azure Virtual Desktop environment and have an FSLogix user profile just like other users in your organization. This provides a seamless experience when landing across different session hosts in the same host pool. For full step-by-step instructions, see how to Store FSLogix profile containers on Azure Files using Microsoft Entra ID. A more secure Bring Your Own Device (BYOD) strategy These capabilities can help organizations looking for a more secure BYOD experience, or when provisioning identities to a contractor, external partner, and more. To see the latest guidance from Microsoft on how to use Windows 365 to secure your BYOD strategy, visit the https://aka.ms/W365BYODeBook. Additional resources We continue to roll out more features to help organizations secure their Cloud PCs and VMs. See our other latest security announcements, here: * To see our Ignite announcements for Windows 365 and Azure Virtual Desktop, visit the Windows Experience blog here. * To learn more about new Windows Cloud input protection capabilities for Windows 365 and Azure Virtual Desktop, visit here.   --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Since we first announced Windows 365 Link — the simple, secure, purpose-built device for Windows 365 — at Microsoft Ignite last year, we have been energized to see organizations deploying it in shared spaces ranging from retail stores to factory floors and even clean rooms. We have highlighted how, according to a Microsoft commissioned Forrester TEI study, it is projected to deliver a substantial return on investment up to 195% over six years for a composite organization replacing desktops for frontline and knowledge workers.* This year at Microsoft Ignite, we’re highlighting what’s new for Windows 365 Link and diving deeper into how it can boost productivity and strengthen security while helping you optimize IT investments — particularly for your frontline. Tune into our upcoming Microsoft Ignite 2025 breakout session and read on to learn more.  “Windows 365 Link provides secure access to cloud desktops, transforming hardware-dependent services into agile, cloud-based solutions. In shared environments, it offers a low-cost alternative without sacrificing user experience. In Retail, it will boost security, supporting a zero-trust model that safeguards critical customer systems while removing friction.” - Matt Harkness, Product Manager Modern Workplace, One NZ “Regeneron uses the power of science to bring new medicines to patients in need. By standardizing on Windows 365 Link devices across our clean room environments, we’ve minimized endpoint maintenance and enabled seamless hotdesking. This shift not only lowers operational costs but also enhances compliance and manufacturing agility as we can implement data integrity controls centrally and immediately.” - Matt Humphreys, Senior Director of Global Enterprise Operations IT, Regeneron Pharmaceuticals Inc. Windows 365 Link devices are configured out of the box to receive regular updates to enhance the end-user experience and streamline IT management. Recent updates include: * Support for use with Windows 365 Reserve Cloud PCs, making Windows 365 Link a great backup option when someone’s primary desktop is unavailable due to hardware failure. * Support for voice access to enhance accessibility, enabling users to control their PC and insert text using voice commands, without needing a keyboard or mouse. * Support for smart card redirection, enabling authentication to apps and websites in a Cloud PC through a smart card reader. * Support for users with multiple Cloud PCs to choose which Cloud PC to connect to after initial sign-in. Connection Center showing multiple Cloud PCs after sign-in Looking ahead, here are some key updates targeted for release in the first quarter of 2026: * Support for pairing Bluetooth® devices during the out-of-box experience, so you can use a wireless keyboard and mouse to set up the device. * Support for tenant branding including setting a custom wallpaper, logo, and name on the sign-in screen, so you can provide a tailored experience for your employees. * The ability for IT to restore a device to its original factory default state using a bare metal recovery image, providing one more way to recover the device in case you need to join it to another tenant. * Improvements to the sign-in experience to support a broader set of interactive authentication experiences when connecting to Cloud PCs. We have heard that organizations appreciate how Windows 365 Link devices support high-fidelity Microsoft Teams meetings, and they also want support for media redirection with partner solutions. We are happy to share that Webex by Cisco and Zoom are actively working to enable high-fidelity meetings on Cloud PC devices. The Webex VDI Plugin for optimizing meeting experiences on Cloud PC devices is targeted for preview release in the first half of 2026. Additional third-party communication app providers who are interested in enabling a plugin for Windows 365 Link can reach out via this form. Windows 365 Link is now available in 13 countries and will expand early next year to seven more. If you want to purchase Windows 365 Link for desk-based and frontline users in your organization, contact your Microsoft account team or authorized resellers in Australia, Canada, Denmark, France, Germany, India, Japan, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom, and the United States. Availability will further expand to Belgium, Finland, Ireland, Italy, Poland, Singapore, and Spain starting in February 2026. *ROI estimate is based on a commissioned study conducted by Forrester Consulting on behalf of Microsoft, New Technology: The Projected Total Economic Impact™ of Windows 365 Link, July 2025. The Forrester study findings are for a composite organization with 2,000 employees, 500 contractors and $4 billion in annual revenue informed by interviews with six IT decision-makers who had experience using Windows 365 Link and survey responses from 212 IT decision-makers and end-user managers who had experience with or interest in using Windows 365 Link. ROI projections reflect perceived benefits reported by participants and are not guaranteed. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

As AI adoption continues to accelerate across organizations of all sizes, it is critical for IT leaders to secure their devices estate to keep their organizations protected, productive, and ahead of the curve. Managing Windows updates should be a seamless, intelligent process that empowers teams to focus on strategic priorities. That’s why Microsoft is continuing to build the future of Windows update management with Windows Autopatch, bringing improved clarity, reporting, automation, and control to update readiness. By combining real-time visibility, proactive remediation, streamlined scheduling, and resilient recovery solutions, Autopatch helps to keep your devices protected and businesses stay agile. In this post, we’ll share how these innovations are transforming IT operations, delivering peace of mind, and setting a new standard for secure, automatic Windows update management. Windows Autopatch is available for customers with Windows Enterprise, Frontline, US Government, Education and Business Premium SKUs. Learn more here. Elevate your IT experience: Autopatch brings update readiness to the forefront Every month it feels like IT environments become more complex and dynamic, creating challenging, time-consuming workloads for system administrators. Deploying at scale means IT leaders need technology that adjusts to meet fast evolving work demands. In the latest enhancements to Autopatch, update readiness is ready to give IT teams just that — the tools they need to anticipate issues, streamline deployments, and maintain organizational resilience, including reporting enhancements IT administrators have long asked for. Proactive peace of mind: Automated checks and early remediation Readiness means more than just numbers on a dashboard. Proactive checks help catch hidden prerequisites and safeguards before deployment, reducing manual troubleshooting and minimizing user disruption. Rather than fixing issues after they happen, administrators can review lists of devices that need remediation (for example, a list of devices not ready for quality updates due to prerequisites) and address issues up front, saving time and avoiding unnecessary rework. Fewer disruptions, happier users — it's a win-win. Follow every device’s journey: Streamlined troubleshooting made simple We know the complexity of your diverse environments sometimes require more than an “in progress” update status, which is why Autopatch’s new device update journey maps out every device’s progress in clear, actionable steps. Granular timelines and audit trails make it simple to spot where an update might stall, including reasons why a hotpatch couldn’t take place, so problems can be resolved quickly and confidently.  Repair with confidence IT teams can spot devices that need repair, identify any that might face update blockers, and use targeted remediations to stay secure, all through Autopatch. Actionable alerts guide administrators through each step, while integrated audit logs ensure nothing gets missed and progress is always transparent. Actionable alerts, transparent progress When something needs your attention, Autopatch makes sure you’re in the loop with actionable alerts and guided remediation. Each step is tracked, leading to a clearer IT backlog and measurable gains in compliance. Best of all? These features work with your current deployment process — no need to change how you roll out updates. Streamlined quality update scheduling and approvals Autopatch now delivers advanced, cloud-based policies for managing monthly Windows updates, empowering IT teams with precise controls and transparent reporting.  Choose between automatic or manual approvals for security, non-security, and out-of-band updates. This flexibility ensures your update workflow aligns with organizational requirements. Configure deferral settings to implement gradual rollouts, enabling prompt validation with reduced risk and minimal disruption. Autopatch enables you to pause or resume releases as needed, ensuring update deployment remains responsive to business priorities. Enhanced quality update reports offer clear visibility into deployment health, device compliance, approved updates, and actionable alerts — helping IT teams stay proactive and confident throughout the update process.  Extended security updates As Windows 10 has reached end of support, organizations need a dependable way to maintain protection while planning their upgrade path. Extended Security Updates (ESU) deliver critical fixes for devices that have not yet transitioned to Windows 11, supporting business continuity without compromise. With Autopatch, you can still stay protected— ESU integrates smoothly to provide full visibility into coverage and compliance. IT teams can monitor enrollment status through quality update reports, which clearly show devices enrolled in ESU, and receive alerts for those behind on security updates or missing ESU coverage. This proactive approach helps administrators act quickly, maintain compliance, and keep systems protected while preparing for Windows 11. Read more on upgrading to Windows 11 using Autopatch here.   Hotpatch and maintenance windows keep your business secure with minimal disruption Last year, we introduced hotpatch updates, which deliver instant security fixes without requiring device restart and reduce exposure to vulnerabilities. Since then, we have launched hotpatch updates on 64-bit ARM devices, enabling this technology on millions of devices. From your feedback we’ve heard one thing loud and clear: more disruption-free updates. Starting Q1 calendar year 2026, you will have the power to create that experience yourself with maintenance windows. It allows you to streamline all your updates from drivers, .NET, and applications to fit your business needs. You decide, down to the hour, when to restart your machines. Quick machine recovery (QMR) management in Windows Autopatch We live in a world where every minute of downtime can put business at risk, which means uninterrupted device access is crucial to maintaining productivity and organizational continuity. When critical issues in your environments lead to boot failures or outages, small or big, immediate and reliable remediation becomes imperative. Autopatch addresses this challenge with Quick Machine Recovery (QMR) management, a solution that helps recover Windows devices from boot failures (caused by us or 3rd party kernel mode drivers) during large-scale incidents through the Windows Recovery Environment, as part of our Windows Resiliency Initiative. When a large-scale outage occurs, impacted Autopatch-managed devices initiate a QMR scan to check for a Microsoft-published target fix. Based on applicability and approval settings, these fixes are deployed promptly, restoring device functionality and reducing the risk of prolonged outages. Advanced QMR deployment controls Autopatch empowers IT administrators with comprehensive control over the deployment of QMR updates. By default, all Autopatch-managed devices are QMR scan-ready, ensuring that recovery options are available whenever needed. Administrators may opt out of default scans or fine-tune approval settings within quality update policies, choosing between automatic approvals — with customizable deferral windows — or manual reviews for enhanced oversight. This flexibility allows organizations to tailor their response, balancing swift action with governance, especially during critical events. Integrated alerts and remediation reporting Beyond the boundaries of policy management, Autopatch integrates QMR with robust alerting and reporting capabilities. Administrators receive timely notifications when QMR updates become available or when prerequisites are not met, facilitating rapid intervention. The Autopatch portal provides a comprehensive view of all impacted devices, while detailed remediation reports track recovery status. These reports deliver actionable insights, highlighting successful restorations and identifying devices where further attention is required. By supporting fast, secure device recovery that aligns with organizational policies — even during large-scale boot failures — Autopatch enables IT teams to maintain a resilient Windows environment, meeting your priorities: fewer disruptions, improved business continuity, and greater confidence in your organization’s Windows update strategy. Start benefiting today — no disruption required All these capabilities significantly enhance the impact Autopatch has on your organization, so you can enjoy better visibility, proactive checks, and targeted fixes without overhauling your workflows. Designed to deliver immediate value, Autopatch helps IT teams boost confidence and minimize toil, making Windows update management simpler, more secure, and more insightful than ever. * Start using Autopatch now: Discover how here. * Get early access to Autopatch update readiness and Quality Update scheduling and approvals: Sign up now. * Join the Microsoft Customer Connection Program for exclusive opportunities to help shape our product, get early access to the roadmap, and connect with a community of IT professionals. Disclaimer: This blog post is for informational purposes only and outlines Microsoft’s current product direction and plans. Product availability, licensing terms, and capabilities may vary by region and are subject to change. All third-party trademarks are the property of their respective --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us @MSWindowsITPro on X and on LinkedIn . Looking for support? Visit Windows on Microsoft Q&A .

Windows 365 has established itself as a market leader in virtualization, empowering human users with secure, scalable Cloud PCs for productivity from any location on any device. Now, as AI evolves, a new class of computer use is emerging: AI agents that interact with computers much like people do. Agent makers — developers and organizations building these agents — are driving innovation in automation and productivity. Windows 365 for Agents extends the platform to support these new workloads, while continuing to serve human users. This opens the door to enable AI-powered systems, such as Copilots, agents, and autonomous workflows, to access a full Cloud PC.   As agent makers push the boundaries of intelligent AI systems, Windows 365 for Agents empowers them to focus on innovation — not infrastructure. Our platform reduces the complexity of compute management, delivering built-in security, scalability, and observability. These agents can browse websites, process data, and automate tasks, all within a secured, policy-controlled Cloud PC streamed from the Microsoft Cloud. Now in public preview, Windows 365 for Agents is the cloud platform designed to power computer use and help agent makers deliver the best agentic experience to organizations and end users.  Empowering agent makers Windows 365 for Agents provides a comprehensive set of APIs for agent makers to manage and utilize compute resources. Windows 365 is designed to support a broad spectrum of agent solutions, operating systems, and data access controls, empowering agent makers to innovate freely. This future-ready approach ensures that as agentic computer use needs evolve, Windows 365 will be ready to support them.  * Advanced lifecycle management Windows 365 for Agents offers end-to-end Cloud PC lifecycle management from session management and networking to capacity and regional data residency. * End-user visualization and observability The service provides agent makers the functionalities of real-time visualization with take-control experience, or audit screenshots with time stamps on demand. * Cost efficiency with pay-as-you-go pricing   Agent makers only pay for what they use, providing an affordable choice for dynamic workloads and budget-conscious teams.  * Broad OS support The Cloud PCs can operate Windows, Linux, and browser-based environments, enabling a broad range of agentic workloads including open-source and cross-platform scenarios. * Flexible data control options From enterprise-grade access control for commercial scenarios to quick start experiences for consumer offerings, Windows 365 for Agents meets agent solutions where they are. Windows 365 for Agents is the backbone of some of the most advanced Microsoft AI initiatives and partner solutions. * It serves as the execution platform for agents built into Microsoft Copilot Studio computer use — the Microsoft toolkit for building custom Copilot AI agents to automate web tasks right from a prompt. Here, Windows 365 unlocks a seamless, secure automation experience with no machine setup required. * It’s also embedded within Project Opal, a new capability in Microsoft 365 Copilot. Opal uses Windows 365 for Agents for work task completion securely and intelligently on users’ behalf, so teams can focus on what matters most. * Researcher with Computer Use in Microsoft 365 Copilot  allows users to automate website navigation and actions with real-time visualization. It is the first supported Microsoft solution that leverages Cloud PCs running a Linux environment. Copilot Studio custom agent automating tasks on managed Cloud PCs  Opal operating on a Windows 365 for Agents Cloud PC Researcher with Computer Use running Windows 365 for Agents We are excited to share that leading agent makers — Manus AI, Fellou, Genspark, Simular, and TinyFish — are already looking forward to leveraging Windows 365 for Agents to deliver next-generation AI solutions. Manus AI, for example, is using Windows 365 for non-domain-joined Cloud PCs, empowering everyday consumers to access intelligent PowerPoint creation and editing.    “Windows 365 for Agents provides the secured, scalable, and always-available compute foundation that Manus AI needs to thrive. By harnessing the power of the Cloud PC, our general AI agent can operate with greater agility, responsiveness, and reach — empowering users to access intelligent assistance wherever they work.” – Xiao Hong, CEO of Manus AI.  Manus AI integration with Windows 365 for Agents Trusted infrastructure for organizations In addition to agent makers, we developed Windows 365 for Agents to meet the complex requirements of enterprise organizations. As professional industries adopt cutting-edge AI systems for productivity, agents are held accountable to even a higher bar in security and compliance. Organizations looking to scale AI responsibly can rely on Windows 365 for:  * Enterprise-grade security & compliance   Agent sessions can be configured for enterprise-grade security and compliance, including Microsoft Entra join, Microsoft Intune management, and network configurations. * On-demand scalability   Agents can launch as many Cloud PCs as needed, supporting a wide range of workloads and parallel processes. The infrastructure is designed to scale flexibly with organizations’ needs, ensuring reliable performance for dynamic scenarios. * Seamless IT management   No new tools. No new training. IT admins can manage agent Cloud PCs just like user Cloud PCs on Intune, Microsoft 365 Admin Center, and Power Platform Admin Center — streamlined, familiar, and integrated into existing processes. We invite you to explore how Windows 365 can transform your approach to automation and AI. Get started with Copilot Studio powered by Windows 365 with 50 free hours of Cloud PC pool usage — no additional sign-up or IT setup required. Visit here to get started. If you’re an agent maker, IT leader, or developer interested in being among the first to try Windows 365 for Agents , sign up here to express your interest in our preview. Don’t miss your opportunity to shape the future of autonomous work and experience the platform that’s setting the standard for AI-powered productivity.   --- Continue the conversation, find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .  

From forward-looking frontier firms to businesses just getting off the ground, every Microsoft customer is seeking ways to improve performance and sustainability efforts. For commercial organizations, Windows meets this need with a chip-to-cloud computing foundation that helps conserve energy, reduce waste, and efficiently manage resources.    Built-in energy efficiency settings in Windows 11 First, Windows 11 is a carbon-aware operating system When devices are plugged in, turned on, connected to the internet and regional carbon intensity data is available, Windows Update will schedule installations at specific times of the day. Installing updates at these specific times might result in lower-carbon emissions because a higher proportion of electricity is coming from lower-carbon sources on the electric gridi. Figure 1: Windows Update is carbon-aware Windows provides energy recommendations with options like shorter screen-off times and disabling unused devices, to further boost efficiency. These come together in Energy Saver mode, now available in Microsoft Intune.   These tools and features can help support your sustainability efforts while maintaining a smooth and productive Windows experience.  Smarter printing, less waste We are proud to announce that cloud-based Universal Print now includes an IT badge secure release feature.   To get their document(s), the person must be present at the printer and authenticate with a QR scan or physical badge. This feature can help support efforts to reduce unnecessary paper and toner use associated with unclaimed printouts.   Figure 2: Universal Print Anywhere with badge release Windows in the cloud: A lower-carbon option In new research by WSP USA, analysts compared the carbon emissions associated with provisioning physical PCs and cloud-based virtualization using Windows 365 and Azure Virtual Desktop (Windows in the Cloud Sustainability Report: Estimating the Carbon Emissions Impact of Transitioning to Windows 365 and Azure Virtual Desktop. Microsoft-commissioned study, September 2025).   Figure 3: WSP USA Windows in the Cloud Sustainability Report The findings were compelling. For users with low-to-medium intensity workloads, using a Windows 365 Cloud PC instead of a new laptop resulted in annual carbon reductions of approximately 70–90 kilograms of CO₂ equivalent per user in the United States and 60–80 kilograms in Europe.ii ,iii These savings stem from avoiding the manufacturing and transportation emissions associated with new devices. This can help you minimize e-waste and lower Scope 3 emissions.                 At scale, the impact is substantial. A group of 1,000 of these Cloud PC users could avoid the same emissions as those produced by burning 30 metric tons of coal in a year.iv For high-intensity users, such as engineers and designers, moving workloads from high-powered physical machines to Azure Virtual Desktop or Windows 365 is estimated to yield annual emissions reductions of about 70 kilograms of CO₂ per user in the U.S. and 55 kilograms in Europe, due to avoiding the manufacturing and transportation emissions associated with new devices.iii; iv A group of 1,000 high-intensity Cloud PC users could avoid the same emissions as not burning approximately 27 metric tons of coal in a year.v NOTE: These models may not reflect the specific circumstances or operational realities of any individual company. As such, the results should not be used for regulatory reporting, greenhouse gas (GHG) inventories, or other formal disclosures. Companies are encouraged to conduct their own analysis to determine emissions impacts relevant to their unique business structure and activities.  Data-driven insights and automation with Microsoft Intune Sustainability requires ongoing monitoring and optimization. Microsoft Intune and the Intune Suite comprise a cloud-based unified endpoint management solution that offers deep visibility into consumption patterns.   Now you can enforce power-efficient configurations at scale to reduce environmental impact and improve device longevity and efficiency.  * Manage Energy Saver settings centrally via Microsoft Intune and Group Policy. Configure policies for screen timeout, sleep settings, and Energy Saver activation thresholds across all managed PCs.   * The Intune Advanced Analytics Battery Health report offers a fleet-wide view of battery performance and usage patterns. Get a Battery Health Score for each device to help identify aging or failing batteries that may increase energy consumption or device issues.   * The Resource Performance report in Intune Advanced Analytics extends sustainability benefits beyond battery management, with CPU and RAM Spike Analysis. This identifies devices that consume excessive power due to hardware stress.   * Intune anomaly detection identifies devices with inefficient resource utilization. IT teams can easily investigate and remediate issues, so devices run more efficiently and consume less power.   *  Remote Help, another Intune feature, reduces the need for on-site visits and associated transportation emissions. * Finally, with the recent Windows 365 integration with Copilot in Intune, IT admins gain insights into Cloud PC connectivity trends, performance issues, and deployment gaps.   Figure 4: Copilot for Intune now manages Windows 365 Cloud PCs ENERGY STAR® - certified devices Microsoft and its Original Equipment Manufacturer (OEM) partners offer energy-efficient devices that incorporate recycled materials to help reduce environmental impact. Many laptops and tablets meet rigorous ENERGY STAR and EPEAT Gold standards — recognized benchmarks for energy use and environmental performance.   Surface embeds circular design in every device to help reduce carbon and minimize waste. Packaging is paper based, designed to use less material and minimize plastic content. Devices are engineered to deliver high performance while meeting energy efficiency standards. Pro, 12-inch performs 48% better than the ENERGY STAR baseline, while Laptop, 13-inch outperforms it by 68%.vi Additionally, the availability of spare parts and accessible repair guides has ensured easy serviceability to extend device use.vii The Microsoft Surface Emissions Estimator, now available on the web, and the Surface Management Portal in Intune offer more insights on Surface device fleets, including estimated carbon emissions resulting from manufacturing and usage.viii This model-level transparency allows procurement and sustainability teams to make informed decisions, track progress toward emissions goals, and align IT investments with corporate ESG commitments.  Figure 5: Microsoft Surface Emissions EstimatorFigure 6: Windows 365 Link Windows 365 Link is a compact, purpose-built Cloud PC device by Microsoft to connect users directly to Windows 365. It contains a minimum of 63% recycled content and has 100% paper-based packaging. It is estimated to use 50% less energy than the current ENERGY STAR© computer specification requirement and is designed to be long-lasting and repairable,.ix         And Windows 365 Boot allows organizations to extend the use of older PCs by enabling them to boot directly into a Cloud PC experience running Windows 11. This approach can allow you to make the most of your existing hardware while supporting your sustainability efforts and user needs.  Reduce, reuse, and recycle local machines Many Microsoft partners offer IT Asset Disposal (ITAD) or trade-in services to enterprises, government, small and medium businesses, schools, and consumers.   Microsoft also offers voluntary mail-back recycling programs for Microsoft-branded consumer products, batteries and/or packaging. There are also often recycling services in your community as well. Look online or ask Microsoft Copilot for guidance.   Real-world results and customer perspectives ENGIE, a global energy company, adopted both Windows 11 and Intune to support productivity and sustainability objectives. With cloud management and efficient features, ENGIE reduced its carbon footprint while enhancing employee experiences.  “Reducing waste, generating clean energy, and lowering emissions are part of our mission. And having a modern, secure, and scalable IT foundation supports all of that.” — Torsten Lesniak, Head of IT, Energy company EEW  Conclusion: Accelerating your sustainability journey Windows 11, Intune, and Universal Print are catalysts for more sustainable IT. From dynamic energy-saving features and cloud-based management to advanced analytics, implementing these products and services can help you take measurable steps toward sustainability.   Use Windows chip-to-cloud solutions and Microsoft Intune to make your computing endpoints more sustainable, efficient, and cost-effective.  ###   Resources * Read and share the Windows in the Cloud Sustainability Report   * Balance PC performance and energy efficiency with Energy Saver in Microsoft Intune  * Universal Print learn.microsoft.com/universal-print/  ____________________________ i Where available, Windows can schedule updates when greater amounts of low carbon energy sources (like wind, solar and hydro) are available on the local electrical grid. ii Based on comparison of virtual machines selected using the Microsoft Azure Virtual Machine Selector and a sample of in-market laptops with CPU count, RAM, and SSD storage in line with popular devices running low-to-medium-intensity workstreams, such as email, productivity apps, and streaming content. Emissions associated with manufacturing and transportation of new laptops (i.e., embodied carbon) are spread out over an expected use timeframe of three years to appropriately allocate emissions on an annual basis. iii Estimates are from the Azure Data Explorer platform using Azure Emissions Impact Dashboard data in October 2024 with an emissions data range of October 2023 – September 2024. The emissions calculation methodology aligns with the GHG Protocol Corporate Value Chain Scope 3 Standard and provides estimates for one year within the U.S. and Europe. Regional difference due to variations in location-specific grid emissions intensity. iv Based on Greenhouse Gas Equivalencies Calculator | US EPA. v Based on comparison of virtual machines selected using the Microsoft Azure Virtual Machine Selector with robust system specifications, such as geographic info systems-based analysis and computer-aided drafting and design. Emissions associated with manufacturing and transportation of new laptops (i.e., embodied carbon) are spread out over expected use timeframe of three years to appropriately allocate emissions on an annual basis. vi Computers that have earned the ENERGY STAR label are third-party certified to be energy efficient and use 25% - 40% less than conventional models by using the most efficient components and better managing energy use when idle. vii Replacement components available through online Microsoft Store and iFixIt for out-of-warranty repair. Components can be replaced by individuals with the knowledge and experience to repair electronic devices following Microsoft’s Service Guide. Microsoft tools (sold separately) may also be required. Availability of replacement components and service options may vary by product, market and over time. See [Self-repair information for your Surface device - Microsoft Support]. Opening and/or repairing a device can present electric shock, device damage, fire and personal injury risk, and other hazards. Use caution if undertaking self-service repairs. Unless required by law, damage caused during repair is not covered under Microsoft’s Limited Hardware Warranty or protection plans. viii The Microsoft Surface Emissions Estimator is only available in certain markets and only applies to Surface devices currently for sale. Contact your Surface seller for more details. ix Based on validation performed by Underwriter Laboratories, Inc. using Environmental Claim Validation Procedure, UL 2809-2, Second Edition, June 20, 2024. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

In our first 4 years in market, we focused on optimizing the Cloud PC experience for our customers and end users. Now, we have exciting news to share at the intersection of cloud and AI — Windows 365 AI-enabled Cloud PCs are combining the power of Windows 365 with AI acceleration to help users boost productivity, discover information faster, and streamline workflows, all while maintaining enterprise-level security and compliance. AI-enabled Cloud PCs deliver integrated Windows AI experiences to any device in any location, and are now available through the Microsoft Frontier Program. Frontier is an early-access initiative designed to accelerate AI innovation by giving select customers, partners, and influencers hands-on access to experimental features before they reach general availability. It is not just a beta program — it’s also about co-creation. Participants explore cutting-edge AI capabilities, provide feedback, and influence Microsoft’s roadmap . Availability and specifications are subject to change without notice. Learn more about Frontier . Disclaimer: Productivity improvements may vary based on configuration and usage. How are Windows 365 AI-enabled Cloud PCs different from Copilot+ PCs? Copilot+ PCs are physical devices with local 40+ TOPS NPUs that deliver AI features directly on the device. Windows 365 AI-enabled Cloud PCs, by contrast, run in the Microsoft Cloud and stream AI-powered Windows to any device and platform. With AI-enabled Cloud PCs, customers can count on: * Windows AI access anywhere: o   Experience high-performance Windows AI on any device with Cloud PCs that dynamically adapt compute power for more on-demand performance, streamed securely from the Microsoft Cloud. * Effortless productivity o   With improved Windows search and Click to Do, quickly find and act on files, images, and data with AI-powered search and context-aware answers — no app switching, just streamlined workflows. * Enterprise-grade security o   All data remains within your trusted Cloud PC environment, honoring regional compliance boundaries (European Database - EUDB). IT admins retain full control over enabling AI features for specific users.   Note: AI-enabled Cloud PCs are available on all 8 vCPU Cloud PCs in the following Azure datacenter regions: West US 2, West US 3, East US, East US 2, Central India, Central US, South East Asia, Australia East, UK South, North Europe, and West Europe. They will be coming to Japan East soon. Regional availability subject to change; check documentation for the latest updates. A new AI-enabled end-user experience AI-enabled Cloud PCs are identified by an “AI-enabled” label displayed on the device card within the Windows App. Windows App — logon experience for Windows The AI-enabled end-user experience also works on other platforms such as Apple iOS Mac devices. Windows App — logon experience for Apple Clients To use the new AI capabilities, improved Windows search and Click to Do, follow the instructions below. Cloud PC — desktop experience Supported Windows AI features in Windows 365 AI-enabled Cloud PCs offer the following features: * Improved Windows search (including OneDrive federated files support) * Click to Do AI-enabled Cloud PCs are marked by a magnifying glass with a sparkle icon within the search box on the taskbar. Improved Windows search With improved Windows search, users can locate files using descriptive queries, leveraging AI to interpret intent and deliver relevant results within the Windows search box in the taskbar and in File Explorer. For example, if you have a picture of a rugby game titled “Picture3.jpg”, and you search “rugby”, the correct file should appear. Accuracy of results may vary based on file content and indexing. Improved search experience in File Explorer Users can also search across multiple sources (local files and cloud storage through OneDrive) in a unified experience based on the content of the files rather than just metadata such as the title. This experience works within the Windows search box in the taskbar and in File Explorer. Improved search Start menu experience Note: Users can search for OneDrive files that haven’t been downloaded yet by entering keywords found inside the file’s text. To learn more about improved Windows search, see Find files fast with improved Windows search . Click to Do and Microsoft 365 Copilot & AI actions Click to Do simplifies the steps necessary to perform common actions on highlighted text or images on the screen. To activate this feature, press Windows key + Q or hold down the Windows key while clicking left on an element on your screen to export directly into Microsoft 365 Copilot for deeper integration, summarization, and other actions. Disclaimer: Feature requires Windows Insider Beta enrollment; functionality may change before general availability. Click to Do experience Microsoft 365 Copilot shows the prompt in a simple view to adjust the action, add your own AI agents to it, or simply click on the blue arrow button to push the prompt forward. Microsoft 365 Copilot — message box Ask Microsoft 365 Copilot — Summarizing and taking action. Microsoft 365 Copilot — app experience for summarizing data via Click to Do New AI actions are ready at your fingertips as new File Explorer context menu options. To learn more about Click to Do, see Click to Do: Do more with what's on your screen How to enable access to AI-enabled Cloud PCs IT admin controls By default, AI features are disabled on Cloud PCs, putting IT admins fully in control of when and for whom these capabilities are enabled — a key benefit for enterprise security and compliance. IT admins can enable AI-enabled Cloud PCs via a newly introduced policy setting within the Devices – Onboarding: Windows 365 > User Settings blade, and further filter access based on Microsoft Entra ID group access. How to join Frontier and access Windows 365 AI-enabled PCs To participate in our Frontier public release, you must meet the user and Cloud PC specifications, assign AI-enablement to Cloud PCs in Microsoft Intune, and enroll in the Windows Insider Program’s Beta channel. To enroll your Cloud PC in the Windows Insider Program, you must go to Windows Settings , followed by Windows Insider Program . Once ready, be sure to enroll in the Windows Insider Program with your Microsoft account or Microsoft Entra ID account and opt into the Beta Channel (Recommended) option. Note: We’re working on getting these features available outside of the Windows Insider Program. We will update this blog once it is ready. Windows Insider Preview Setup instructions for bulk Cloud PCs enrollment with Intune Here are step-by-step setup instructions for enrolling endpoints in the Windows Insider Program at scale using Intune, with pre-release builds enabled and the Beta Channel selected: * Sign into the Microsoft Intune admin center . * Navigate to: Devices > Windows > Update rings for Windows 10 and later * Create or edit an update ring policy : * Click + Create profile or select an existing policy to edit. * Configure Insider Builds : * Under Settings , find the section for Windows Insider build . * Set Enable pre-release builds to Yes . * In the same policy, locate the Pre-release channel setting. * Select Beta Channel from the dropdown menu. * Under Assignments , choose the groups containing the devices you want to enroll. Microsoft Intune — Windows Insider Program preview enrollment For more details, see Managing preview builds across your organization - Windows Insider Program . Health monitoring and analytics IT admins can also check whether a Cloud PC is AI-enabled or not via the Cloud PC overview Reports dashboard. Review information about AI-enabled features for Cloud PCs, including status and date created. Microsoft Intune — AI-enabled Cloud PC monitoring Or from the Essentials tab of the Intune Devices page. Microsoft Intune — AI-enabled Cloud PC monitoring Cloud PC licenses and regional support specifications To use AI-enabled features, your Cloud PC must meet the following requirements: * Have a Windows 365 Enterprise SKU that has at least 8vCPU, 32GB of RAM and 256GB of total disk storage. o   Note: final licensing with minimum requirements and other license options are subject to change. * Be deployed in one of the following supported regions: o   West US 2 o   West US 3 o   East US o   East US 2 o   Central India o   Central US o   South East Asia o   Australia East o   UK South o   West Europe o   North Europe, * Coming soon (not yet supported): o   Japan East * Where to find the AI-enabled Cloud PC Windows Cloud AI wallpaper o   Go to C:\Windows\Web\Wallpaper\Windows\ as part of 24H2 and 25H2 Windows 11 images in your Cloud PCs provisioned in November ’25 or later. Regional availability subject to change; check documentation for latest updates. For more detailed documentation and requirements, please go to our documentation at aka.ms/AICloudPCsLearn Reporting feedback on this Frontier release We’d love to hear from you — please use the following channels to provide feedback on our Frontier preview: * Feedback Hub (please report that you are using an AI-enabled Cloud PC.) * Windows 365 Tech Community Important note: Feedback may inform future development but does not guarantee implementation. Windows — Feedback Hub Watch our Windows in the Cloud podcast Watch the podcast below to learn more about the announcements today, the people who build the features, more real demos, and other behind the scenes information. aka.ms/AICloudPCsvideo Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

At Ignite this year, we’re unveiling how Windows is evolving from an operating system into the canvas for AI, embedding intelligence across system, silicon, and hardware. This transformation helps organizations to move beyond experimentation and deliver AI-driven outcomes. For those aiming to become Frontier Firms — the world’s most ambitious organizations blending human ingenuity with intelligent systems — Windows is the foundation that makes it possible.   Windows is evolving to include agent-like functions built into the operating system, new tools offered by Microsoft 365 Copilot on Windows, and capabilities powered by Copilot+ PC hardware. As organizations seek to leverage AI, we’re envisioning Windows as an OS that aims to make interactions more natural, increase productivity, and offer a strong platform and ecosystem for AI innovation.  In this blog, we’ll provide a deeper dive into the Windows AI innovations we’re sharing at Ignite and what this means for your organization. We’re committed to ensuring Windows is the secure, manageable, and future-ready platform that prepares your organization to adopt AI and agentic innovations.   Join early access and learn more. Simple, personalized AI experiences on Windows 11 Windows empowers organizations to deliver flexible user experiences that feel truly personal — where employees can work how they want, without friction or compromise. With support for multi-modal interaction and deeper integration of Microsoft 365 Copilot capabilities in Windows 11, AI becomes more than just a natural part of everyday workflows; it makes every interaction intuitive and intelligent.   * A key example of new interaction models in Windows is voice in Microsoft 365 Copilot, which helps users quickly capture ideas for brainstorming, drafting responses, or preparing meetings. Simply say “Hey Copilot” (available in Frontier in the coming weeks) or press the Copilot key (Win+C shortcut for devices without a Copilot key) to open the quick view input box to activate voice. This allows you to stay focused or multitask, tapping into Copilot without any interruption of switching apps and windows. Start a back-and-forth conversation with Copilot, receiving real-time spoken responses based on both web and work data. Voice in Microsoft 365 Copilot is available now.   Voice in Microsoft 365 Copilot enables back-and-forth conversation and real-time spoken responses.   * When using AI agents that need a longer time to complete their tasks, like Researcher, Agents on the taskbar will show at-a-glance status and chain-of-thought logic, making it easy to check in on the agent’s progress and see its completion status. Coming soon in preview, this unifies how users invoke and manage AI agents across the OS and makes agents seamlessly accessible and interactive.   Monitor long-running agents directly on the Windows taskbar.   * Also coming soon in preview, users can conveniently use search and Ask Copilot on the taskbar in the new composer experience. Additionally, AI agents can be started directly from Ask Copilot on the taskbar by using the “tools” menu or typing ‘@’.   Use search and Ask Microsoft 365 Copilot directly in the taskbar with the new composer experience.   Tag an AI agent directly in Ask Copilot on the taskbar by typing “@”.   * In File Explorer Home, users will be able to hover over files in File Explorer and Ask M365 Copilot for on-demand assistance or insights. Users can enjoy streamlined file productivity without leaving their current context. This is rolling out before the end of 2025.   Hover over files in File Explorer Home and Ask M365 Copilot for on-demand assistance or insights.   * Need assistance with organizing your day? Coming soon to preview in December 2025, the new Agenda view appears right in Notification Center—offering a quick-glance, chronological list of your upcoming events, seamlessly integrated with Calendar in one unified interface. Users will also be able to interact directly with the events shown in their Agenda view, such as joining a scheduled meeting or engaging with Microsoft 365 Copilot. This makes it easier to prepare for upcoming meetings and streamline your day.   Agenda view provides a chronological list of upcoming events in one unified interface.   AI is also accelerating how organizations can support people across a diverse spectrum of accessibility needs to make the most out of their Windows 11 experience.   * Now in preview for Copilot+ PC users, AI-powered fluid dictation makes voice typing fast, accurate, and natural — enabling people to turn speech into text with minimal effort and need for manual corrections. Fluid dictation is available via the Win+H shortcut and dictation tools like voice typing and voice access, leveraging local, on-device models.   Fluid dictation for Copilot+ PCs leverages on-device AI models to make voice typing fast, accurate, and natural.   * Windows is also offering users a natural and life-like reading experience powered by Azure’s latest on-device text-to-speech models for English (US). These high-definition voices — now available in Windows Narrator and Magnifier voices — are built on advanced generative AI and adapt tone and pace contextually to make interactions feel intuitive and engaging. The cloud version of HD models is generally available in Azure Speech services. Find out about the latest updates to Azure Speech.   * Narrator announcements today are verbose and generic, offering little flexibility. In preview soon, AI-powered Narrator personalization addresses this by giving users precise control over what is announced and how. Users can now customize verbosity for control types and reorder their properties and create app-based profiles, so Narrator behaves differently in Word, Excel, or Outlook. They can make these adjustments using natural language and preview changes instantly before saving. This brings flexibility, speed, and focus to Narrator — allowing users to shape their experience to their work, not the other way around. "Having Microsoft 365 Copilot directly in Windows 11 and my everyday tools makes it feel like part of my workflow, not another app to learn." - Ryan Katreeb, Finance Manager, Levi's Expanded productivity capabilities on Copilot+ PCs In today’s fast-paced work environment, efficiency isn’t optional — it’s essential. Copilot+ PCs redefine what productivity looks like by bringing AI directly into Windows. Instead of navigating endless menus or switching between apps, employees gain an intuitive experience where AI anticipates intent and delivers context-aware guidance. Copilot+ PCs transform routine tasks into seamless actions, enabling teams to focus on creativity and problem-solving rather than process. The following features are exclusive to Copilot+ PCs:  * Find what you need, simply by describing it with improved Windows search. This semantic search capability enables you to find the right file without needing to remember exact file names or words in file content. Improved Windows search spans both local files and now cloud-based Microsoft 365 files, improving discoverability. This is gradually rolling out to commercial Microsoft 365 Copilot customers on Copilot+ PCs.  Improved Windows search on Copilot+ PCs now spans both local files and cloud-based Microsoft 365 files, improving discoverability.   * Act on what’s on your screen with Click to Do. You can send content to and Ask Microsoft 365 Copilot a question about what is on your screen without needing to switch context. Or, a table you see on your screen can instantly become a usable Excel table. Whether it’s an image from the web or something that’s being shown in a Teams meeting, Click to Do makes it easy to convert a table to Excel.   * Write with efficiency, confidence, and clarity. In preview soon, Writing Assistance with Microsoft 365 Copilot helps employees craft compelling content with AI-powered rewrite and proofreading. This is also available offline to Copilot+ PC users, as Writing Assistance leverages the on-device NPU on Copilot+ PCs to run AI models locally, reducing dependency on connectivity.   Writing Assistance with Microsoft 365 Copilot provides AI-powered rewrite and proofreading capabilities.   * Users can also summarize lengthy emails directly in Outlook, even when offline for Copilot+ PC users. This is rolling out to Copilot+ PC users at the end of the month. Windows for the agentic ecosystem It’s not just Windows 11 and Copilot+ PCs that demonstrate what’s possible when Windows and AI work together. * Windows also provides platform primitives for enterprises and developers to build and enable agentic workflows. Today, we’re introducing native support for the Model Context Protocol (MCP) in public preview, giving AI agents a standardized way to connect with apps and tools to automate routine scenarios and perform tasks on behalf of users. Built-in agent connectors for File Explorer and Windows Settings make it easy for agents to manage local files and modify device configurations seamlessly. In private preview, the new Agent workspace provides a contained, policy-controlled, and auditable environment where agents can operate like people — performing tasks in parallel without disrupting the user’s primary session. Finally, we’re expanding on-device AI capabilities with Microsoft Foundry on Windows, introducing new Windows AI APIs like Video Super Resolution (VSR) and Stable Diffusion XL (SDXL) to power next-generation AI experiences. Learn more about these new platform capabilities.   * Windows 365 for Agents enables AI-powered systems — such as Copilots, agents, and autonomous workflows — to access a full Cloud PC. These agents can browse websites, process data, and automate tasks, all within a secured, policy-controlled Cloud PC streamed from the Microsoft Cloud. Windows 365 is the backbone of some of the most advanced Microsoft AI initiatives and partner solutions. It serves as the execution platform for computer-using agents built into Microsoft Copilot Studio computer use — Microsoft’s toolkit for building custom Copilot AI agents to automate web tasks right from a prompt. Leading agent makers — Manus AI, Fellou, Genspark, Simular, and TinyFish — are already looking forward to leveraging Windows 365 to deliver next-generation AI solutions. Learn more about Windows 365 for Agents, now in preview.  A secure and manageable foundation Windows continues to deliver innovation without compromising on security or manageability, to meet the needs of your organization, wherever you may be on your AI journey. With Windows Autopatch, update readiness, hotpatch, and the Windows Resiliency Initiative, we continue to provide organizations with the tools needed to maintain a secure, resilient foundation.  * Available soon in public preview, IT admins will be able to manage agentic capabilities in Windows using familiar enterprise tools like Intune, Entra, and Group Policy. This includes enabling or disabling agent connectors and workspaces, setting minimum security policies for agent connectors, and deploying agent connectors with MSIX. Event logs provide visibility into agent activity, and advanced controls are planned for 2026, ensuring organizations can adopt AI on their terms. Learn more about enterprise management policies and capabilities.   * Recall with Microsoft Purview integration enables organizations to take advantage of Recall’s productivity features on Copilot+ PCs, while still maintaining robust data loss prevention controls. Recall is enterprise-ready, respecting organizational policies and Purview safeguards to help secure sensitive data across Office, Outlook, and Teams. This is now in preview for organizations with Copilot+ PCs. Read the blog, case study, and learn how to manage Recall in your organization.   Recall and Purview integration on Copilot+ PCs is now in preview.   Windows gives IT and organizations choice and control. By adopting Windows as your OS with security, compliance, and manageability at the core, your organization can adopt AI innovations at your own pace and build a future-ready foundation. Join early access to get the latest features To get early access to these features, join the relevant Windows and Microsoft 365 pre-release programs: * Join the Windows Insider Program Enroll devices in the Windows Insider Program (Dev or Beta Channel) to get pre-release builds of Windows. * Enable Targeted Release for Microsoft 365 In the Microsoft 365 admin center, set your tenant or selected users to Targeted Release to receive early updates to Microsoft 365 and Copilot. * Join the Office Insider Program (optional but recommended for local app previews) Get early access to new features in Word, Excel, PowerPoint, and other desktop apps. Learn more Read more about the Windows and AI at Microsoft Ignite 2025: Windows at the Frontier of Work. We look forward to seeing you in person and online at Microsoft Ignite: * Tuesday, November 18th, 2:30PM PST: BRK344 Agents at Work: Windows Powers the Era of Intelligent Productivity * Tuesday, November 18th, 5PM PST: BRK346 Secure & Manage the Most Productive, Intelligent OS: Windows 11 * Thursday, November 20th, 9AM PST: THR786 Copilot+ PCs & Microsoft 365: Secure, Smart, Efficient Windows For more information, please visit Windows 11 on Microsoft Learn and Microsoft Adoption Center. You can also join us here on December 2nd, 2025, for a Windows Tech Community Live AMA. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

The first set of tools and steps are now available to help you proactively update your Secure Boot certificates before they expire in June of 2026. Secure Boot is more mature and robust today than it was some years ago. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. This helps prevent malware from running early in the startup sequence of a Windows device. Secure Boot certificates have always had expiration dates. New certificates help ensure that your devices stay up to date with the latest security protections.i That is why your organization will need to install the 2023 CAs before the 2011 CAs start expiring in June of 2026. Note: Need a refresher on why updating Secure Boot certificates is so important? * Read Act now: Secure Boot certificates expire in June 2026. * Bookmark Windows Secure Boot certificate expiration and CA updates. * Learn more about Secure Boot, signature databases and keys, and boot sequence. Many Windows PCs manufactured since 2024 already have the updated 2023 certificates. For the remaining devices, Microsoft is delivering new Secure Boot certificates through Windows monthly updates, with partner original equipment manufacturers (OEMs) making firmware updates available to help ensure compatibility. If you wish to proactively update your Secure Boot certificates, this post contains initial steps you can take and tools you can use, with more scalable approaches coming soon. At a minimum, we encourage you to monitor the progress of your device fleet from the start. Let’s get started. Here’s a summary of what you can do today to prepare: * Step 1: Inventory and prepare your environment * Step 2: Monitor and check your devices for Secure Boot status * Step 3: Apply OEM firmware updates before Microsoft updates * Step 4: Plan and pilot Secure Boot certificate deployments * Step 5: Troubleshoot and remediate common issues Step 1: Inventory and prepare your environment For most devices in your organization, Microsoft will automatically update high-confidence devices via Windows Update. However, you can validate and actively roll out these updates, in which case, you would start by conducting an inventory. Inventory Most devices manufactured since 2012 have Secure Boot enabled, but you should always verify that. You should also check the status of the Secure Boot certificates with sample inventory PowerShell commands or by checking the value of the UEFICA2023Status registry key (it should ultimately be “updated”). Out of the devices that show up as not updated, build a small, representative sample. We recommend that you focus on the less common devices, for which high confidence determination isn’t automatic. Then follow the rest of the steps outlined in this post to pilot the certificate updates and help ensure that deployment is successful Prepare select devices To prepare devices for Secure Boot certificate deployment, consider how you’ll manage it. There are several approaches to managing Secure Boot certificate updates. Today, you can use registry keysii or Group Policy. A Configuration Service Provider (CSP) for mobile device management (MDM), such as Microsoft Intune, is coming soon. Bookmark https://aka.ms/GetSecureBoot for the latest updates. * The primary method is to deploy the certificates to devices that have been validated as ready for the update. See Step 4 when you’re ready to deploy these updates! * For the more common device configurations in your environment, you can utilize two “assists” to manage your deployment: * * Get new certificates through monthly Windows updates for high-confidence devices. This option is enabled by default for devices that are ready for new certificates. Microsoft will update these devices for you unless you opt out. To opt out, set the HighConfidenceOptOut registry keyii value to 1 or set the Automatic Certificate Deployment via Updates Group Policy to Disabled. * Opt devices in to Microsoft-managed controlled feature rollout. With registry keys, set the value of MicrosoftUpdateManagedOptIn to 1 to opt in to Microsoft-managed controlled feature rollout. The value of 0 or non-existent key means that you’re opted out. With Group Policy, configure the Certificate Deployment via Controlled Feature Rollout policy to Enabled. Note: To opt in, please configure devices to share required diagnostic data with Microsoft. Important: All Secure Boot registry keys are under these two paths: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing. See Registry key updates for Secure Boot: Windows devices with IT-managed updates for more details. Group Policy settings are available to you under the following path: Computer Configuration > Administrative Templates > Windows Components > Secure Boot. To get the updates that include the Group Policy for deploying Secure Boot certificate updates, download the latest Administrative Templates (.admx) for Windows 11 and Windows Server. Step 2: Monitor and check your devices for Secure Boot status Check the Secure Boot status of your devices before and after deployment. Soon, you will be able to use your preferred management and reporting tools. For now, you can use registry keysii or Windows Event Log events to identify which devices already have new certificates and which ones need attention. Deployment progress The text value of the UEFICA2023Status registry key will indicate if your certificate deployment status is not started, in progress, or updated. The value will change progressively until all new certificates and the new boot manager have been deployed successfully. Successful deployment * Audit the Windows System Event Log events for Event ID 1808.iii This informational event indicates that the device has the required new Secure Boot certificates applied to the device’s firmware. * Audit the UEFICA2023Error registry key for issues. This key should not exist unless an error is pending. * Check that the text value of the UEFICA2023Status registry key reads as “Updated.” Errors during deployment * Audit the Windows System Event Log for Event ID 1801.iiiThis error event indicates that the updated certificates have not been applied to the device. Analyze details specific to the device, including device attributes, that will help you in correlating which devices still need updating. * Check if the UEFICA2023Error registry key exists. If so, it indicates an error in certificate deployment. The error itself won’t appear in the Event Log. Trace related issues through Secure Boot DB and DBX variable update events. Step 3: Apply OEM firmware updates before Microsoft updates Updated firmware can help prevent compatibility problems and ensure new Secure Boot certificates are accepted. If your organization has identified Secure Boot update issues or your OEM recommends a firmware update, apply the latest BIOS/UEFI update before installing Secure Boot–related Windows updates. Some OEMs provide firmware updates that include important fixes and updated certificate stores. These updates help Secure Boot function correctly with new Windows certificates. Microsoft works closely with OEM partners to ensure these updates integrate smoothly with Windows. Step 4: Plan and pilot Secure Boot certificate deployments As you’ve seen in Step 1, Microsoft can assist with your Secure Boot updates if you enable diagnostic data. You can also deploy new Secure Boot certificates yourself for devices that don’t already have them. Choose a way to do this with registry keys,ii via Windows Configuration System (WinCS) command-line interface (CLI), or using Group Policy today. Pilot your desired method first on a representative set of devices to gain confidence. In a typical enterprise deployment, whatever option you choose, allow approximately 48 hours and one or more restarts after changing configuration for updates to fully apply. See How updates are deployed for more details. For testing scenarios, you can accelerate the experience by following the steps outlined in Device Testing Using Registry Keys. Important: Avoid mixing deployment methods on the same device. For additional technical recommendations to help you plan and deploy your Secure Boot updates, see Deployment strategies. Option 1: Deploy certificates with registry keys Find the AvailableUpdates registry key located under this registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot Set its value to 0x5944 to deploy all needed certificates and update to the Windows UEFI CA 2023 signed boot manager. This key corresponds to the Group Policy setting Enable Secure Boot certificate deployment. For details, see Registry key updates for Secure Boot: Windows devices with IT-managed updates. Option 2: Deploy certificates via Windows Configuration System (WinCS) New command-line tools are now available for domain-joined clients on Windows 11, versions 25H2, 24H2, and 23H2. These include both a traditional executable and a PowerShell module to query and apply Secure Boot configurations locally to a device. For step-by-step guidance, see Windows Configuration System (WinCS) APIs for Secure Boot. Deploy the Secure Boot updates via WinCS: * Feature name: Feature_AllKeysAndBootMgrByWinCS * WinCS key value: F33E0C8E002 * Secure Boot configuration state: Enabled Option 3: Deploy certificates using Group Policy Group Policy settings are available by navigating to Computer Configuration > Administrative Templates > Windows Components > Secure Boot. To apply Secure Boot updates to devices using Group Policy, set the Enable Secure Boot certificate deployment policy to Enabled. This lets Windows automatically begin the certificate deployment process. This setting corresponds to the registry key AvailableUpdates. Be sure to get the latest version of the .admx for Windows 11 and Windows Server. For more details, see Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates. Option 4: Deploy certificates using mobile device management (coming soon) Soon, you’ll be able to manage Secure Boot updates using MDM solutions, such as Microsoft Intune. When this method is available, we will post updated guidance at https://aka.ms/GetSecureBoot. Step 5. Troubleshoot and remediate common issues You can also use registry keys and Windows Event Log events to identify and resolve common issues: * The UEFICA2023Error registry key doesn’t exist if there are no errors. If it exists with a value other than 0, check your remediation recommendations in Secure Boot DB and DBX variable update events. * The AvailableUpdates registry key on a device is set to 0x4104. If it doesn’t clear the 0x0004 bit even after multiple restarts, the device doesn’t progress past deploying the new Key Exchange Key (KEK) certificate. If you encounter this error, check with your OEM to confirm they have followed the steps outlined in Windows Secure Boot Key Creation and Management Guidance. * If Event Viewer Windows Logs for System registers an Event ID 1795,ii it means that there was an error when Windows attempted to hand off the certificates to firmware. Check with the OEM to see if there is a firmware update available for the device to resolve this issue. Your update strategy begins today Today, you can start preparing, monitoring, deploying, and troubleshooting Secure Boot certificates in advance of the June 2026 expiration date. The new registry keys, WinCS, Group Policy, and Windows Log tools are here to support you and are just the beginning. More tools for additional scenarios are in development. For the latest information, bookmark Windows Secure Boot certificate expiration and CA updates. Looking for a specific topic? * Find the deployment playbook and troubleshooting guidance in the updated Secure Boot Certificate Updates: Guidance for IT Professionals and Organizations. * New! Registry key updates for Secure Boot: Windows devices with IT-managed updates. * New! Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates. * New! Windows Configuration System (WinCS) APIs for Secure Boot. * Have a question? Browse answers to Frequently asked questions about the Secure Boot update process. * If you’re an OEM, find helpful resources at Windows Secure Boot Key Creation and Management Guidance. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A. iUpdated certificates are the latest security measure to address the BlackLotus UEFI bootkit vulnerability tracked by CVE-2023-24932. iiRegistry key support is available to Windows 10, version 22H2 and newer versions (including 21H2 LTSC), all supported versions of Windows 11, as well as Windows Server 2022 and later. Any other versions of Windows still in support will get these registry keys soon. iiiFor all events, go to Event Viewer > Windows Logs > System. Please see complete details under Secure Boot DB and DBX variable update events.

Windows is committed to making sign-in simpler, quicker, and more secure for every user. Today, we’re excited to announce a major step forward in passwordless authentication: native support for passkey managers in Windows 11. This new capability empowers users to choose their favorite passkey manager — whether it’s Microsoft Password Manager or trusted third-party providers. It’s generally available with the Windows November 2025 security update. By partnering closely with third-party managers, we’re delivering a more flexible, secure, and intuitive experience for Windows users everywhere, starting with 1Password today and other passkey managers coming soon.  “Working alongside the Windows Security team on the development of the passkey plugin API for Windows 11 has been a rewarding partnership. As the first password manager to offer native passkey support in Windows 11, we’re proud to give customers a seamless passwordless experience inside and outside the browser. Together, we’ve ensured that 1Password and other third-party passkey providers can deliver a secure, standards-based experience natively on Windows, marking another major step towards a passwordless future.” - Travis Hogan, End User Group Product Manager, 1Password Why plugin passkey managers? Passkeys are phish-resistant, less vulnerable to data breaches, and easier and faster to use than passwords. With plugin passkey manager support, you get: * Choice and flexibility: Use your preferred passkey manager natively on Windows. * Easy authentication: Create and sign in with passkeys using Windows Hello. * Passkeys everywhere: Your passkeys are synced between your Windows PCs and mobile devices. They go where you go. Saving a passkey to 1Password Easier authentication, with Windows Hello With plugin passkey manager support, packaged credential managers can integrate directly into Windows. Users can save, manage, and use passkeys across browsers and native apps — thanks to the new plugin provider capability. Setting up your credential manager is part of the passkey creation flow. Authentication uses Windows Hello — whether that is PIN, face, or fingerprint — so only you can access your credentials. Microsoft Password Manager We’ve integrated Microsoft Password Manager from Microsoft Edge natively into Windows as a plugin. That means you can use it in Microsoft Edge, other browsers, or any app that supports passkeys. Saving a passkey to the Microsoft Password Manager plugin on Windows This integration of Microsoft Password Manager from Microsoft Edge comes with added security benefits: * Passkey operations (creation, authentication, and management) are protected by Windows Hello. * Passkeys stored in Microsoft Password Manager will be synced and available on other Windows devices where the user is logged into Microsoft Edge with the same Microsoft account. * Syncing is protected by your Microsoft Password Manager PIN and a cloud enclave solution. * Azure Managed Hardware Security Modules (HSMs) help protect encryption keys. * Sensitive operations are performed inside a hardware-isolated environment in Azure Confidential Compute.  * There is tamper-proof recovery with Azure Confidential Ledger. In other words, your passkeys are securely stored and easy to use. Securing the present, innovating for the future Join us as we build a passwordless future - one passkey at a time. Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems that are secured by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience. The updated Windows 11 Security Book and Windows Server 2025 Security Book are great tools to help you understand how to stay more secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.  Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. Also, follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.  --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

The power of automated Windows update management is coming to government SKUs! Starting this month, you can use Windows Autopatch to help keep devices at your organization secure and productive with minimal disruption to users. This cloud-based service that has a proven record with enterprises has now been approved to be added to the Azure FedRAMP High Provisional Authorization to Operate (P-ATO). Learn what this means for your environment and how to get started! New Windows Autopatch service for GCC subscriptions Windows Autopatch is now available to US government organizations as part of Microsoft 365 Government. This is what Windows Autopatch allows you to accomplish for your Government Community Cloud (GCC) devices: * Windows Autopatch provides control over which content is approved for deployment to which devices through Windows Update. * Windows Autopatch groups help you automate a safe rollout process. You can distribute devices into rings and recommend release schedules, leaving you with the final say. * Get secure faster with hotpatching: apply security patches without waiting for a restart. * Pause or expedite monthly quality updates or drivers for groups of devices in your environment. * Simplify update compliance reporting. Windows Autopatch reporting tracks which devices have the latest updates installed with less than 4-hour latency. * Manage policy and see reporting through the Microsoft Intune admin center. Get started with Windows Autopatch To begin, double-check that your devices meet the prerequisites for Windows Autopatch. Configure role-based access control to manage access to your organization’s resources and network. If you’re using Microsoft Intune, the easiest way to automate your update process is to create one or more Windows Autopatch groups: * Go to the Microsoft Intune admin center. * In the left pane, select Tenant administration and then navigate to Windows Autopatch > Autopatch groups. * Create a Windows Autopatch group and assign devices, automating a few things: * Distribute devices for gradual rollout into a set of Microsoft Entra groups. * Configure a safe rollout schedule using update rings. * (Optional) Configure content approval using feature and driver update policies. * (Optional) Configure update settings for Microsoft 365 Apps and Microsoft Edge. * Enroll devices to receive hotpatch updates, getting them secure faster. * That’s it! Just monitor the reports to ensure that you’re hitting your update compliance targets. Instead of Windows Autopatch groups, you can also create individual policies: * Update rings: Control update settings on targeted endpoints. * Windows quality updates: Configure your device to receive hotpatch updates. * Expedited quality updates: Deploy a specific quality update more quickly. * Windows feature updates: Choose the version of Windows approved for deployment for a group of devices. * Driver and firmware updates: Control which drivers are approved for deployment for a group of devices. Regardless of which setup option you choose, if your device is included in a policy, it will show up in the reports for that content type. What about other Azure Government Cloud offerings? Windows Autopatch is not currently supported in US Government Community Cloud High (GCC High) or Department of Defense (DoD) environments. We are working on expanding our service to meet those requirements. Welcome to automated update management! Come be part of the Windows Autopatch community! Here are the resources you’ll need to get started and get support: * Windows Autopatch documentation * Windows Autopatch on the Windows IT Pro Blog * Windows Autopatch: Your playbook for advanced update management * Inside hotpatch updates for Windows * Hotpatch for client: Frequently asked questions --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Microsoft Ignite 2025 is coming soon: November 18 – 21. Read up on the range of sessions including breakouts (in person and online), hands-on labs, community roundtables, and much more. You can register for digital Microsoft Ignite and plan your event schedule now. Have questions about what you learned at Microsoft Ignite? Save the date for Tech Community Live: Windows edition on December 2. Ask Microsoft Anything sessions start at 8 AM PT and are a great way to get answers to your questions from our engineering teams. Keep reading to catch up on other important articles and announcements from October 2025. New in Windows update and device management [HOTPATCH] Curious why hotpatch updates are smaller in size than standard Windows updates? Find a quick explanation and learn why smaller updates help you achieve security and compliance more quickly. Learn how Microsoft implemented hotpatch updates internally. [INTUNE SETTINGS CATALOG] New settings for Windows 11, version 25H2 are now available in the Microsoft Intune Settings Catalog and are ready for you to use in your device configuration profiles. [INTUNE ADVANCED ANALYTICS] Get to know Microsoft Intune Advanced Analytics and the real-world scenarios that benefit from deeper insights into device health, the user experience, and organizational trends. [INTUNE] Discover the 10 key Microsoft Intune capabilities that will simplify the upgrade to Windows 11. These include readiness insights, policy controls, and app compatibility tools. [FRONTLINE] Emergency services increasingly use mobile devices to empower early responders and teams in the field. Get tips on how to manage devices for early responders so they have real-time access to the information they need on the frontlines. [EPHEMERAL OS DISK SUPPORT] Ephemeral OS disk support on Azure Virtual Desktop is now in public preview. Designed for stateless workloads, this capability stores the OS on the virtual machine’s local storage instead of remote storage, enabling faster session host creation and improved performance. [PREINSTALLED APP MANAGEMENT] You can now remove select provisioned in-box apps using a straightforward policy rather than custom imaging and complex scripts. This policy is available for devices running Windows 11 Enterprise, version 25H2 and Windows 11 Education, version 25H2. [WINDOWS 365] Get guidance on identifying the ideal connection option for Windows 365 Cloud PCs for your users. Explore use cases for Windows 365 Link, Windows 365 Boot, Windows 365 Switch, and the Windows App. [WINDOWS UPDATE] We are simplifying Windows Update titles for clarity and consistency across Windows, .NET framework, drivers, AI components, and Visual Studio updates. Explore the latest changes and stay tuned for future improvements. New in Windows security [SFI] Check out the latest Microsoft Secure Future Initiative (SFI) patterns and practices for actionable, relevant guidance in the areas of network, engineering systems, and security response. New in AI [AI FOR WINDOWS DEVELOPERS] Now that Windows Machine Learning (ML) is generally available, check out our guide of helpful resources for AI development in Windows. [UPDATES] The October 2025 non-security update for Windows 11, version 25H2 and version 24H2 includes the following feature, which will be rolled out gradually. * [MICROSOFT 365 COPILOT] A new Microsoft 365 Copilot page has been added to the Get Started experience for commercial devices with an active Microsoft 365 subscription. Learn more about Microsoft 365 Copilot features and how to get started using them. New in productivity and collaboration New features and improvements are coming in the November 2025 security update. You can preview them by installing the October 2025 optional non-security preview update for Windows 11, version 25H2 and version 24H2. This update includes the gradual rollout of: * [START] The Start menu layout has been redesigned to help you access your apps more quickly and smoothly, making it easier than ever to find what you need. * [BATTERY] The battery icons now display colored icons to indicate charging states and feature simplified overlays that don’t block the percentage bars, plus there’s an option to display battery percentage. * [ACCOUNTS] The “Email & accounts” section is now called "Your accounts." You can manage all your accounts under Settings > Accounts. Lifecycle milestones Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025. * [WINDOWS 11 23H2] Windows 11, version 23H2 (Home and Pro editions) will reach end of servicing on November 11, 2025. Enterprise and Education editions will continue to be serviced through November 10, 2026 per the Modern Lifecycle Policy. * [WINDOWS 10 ESU FOR WINDOWS 365] Windows 10 reached end of support on October 14, 2025. Learn how to extend your Windows 10 devices with Windows 365, including creating Windows 10 custom images with Extended Security Updates (ESUs), using ESUs for physical PCs connecting to Windows 365, and more. * [WINDOWS 10 ESU FOR AZURE VIRTUAL DESKTOP] Windows 10 reached end of support on October 14, 2025. Learn about the Windows 10 Extended Security Updates (ESUs) for Azure Virtual Desktop across these scenarios: Existing session hosts, creating new session hosts, Microsoft 365 Apps support for Windows 10, and Windows 10 ESU support. Additional resources Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, Windows Server, the Windows and Windows Server Insider Programs, and more? Check out these resources: * Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name * Microsoft 365 Copilot release notes for latest features and improvements * Windows Server 2025 release notes and Windows Server, version 23H2 release notes for the latest features and improvements for Windows Server * Windows Insider Blog * Windows Server Insider for feature preview opportunities * Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders. If you’re planning to be in San Francisco for Microsoft Ignite 2025, please stop by the Windows booth and say hi—I’ll even pose for selfies! In our November edition, we’ll provide a wrap-up of Microsoft Ignite 2025—and much more Windows news you can use. We’re looking to make this monthly summary more helpful to you! Please drop us a note below and let us know what information you most want to hear about. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

As support for Windows 10 officially ended on October 14, 2025, it is important that organizations with devices remaining on Windows 10 stay as protected as possible through the Windows 10 Extended Security Updates (ESU) program. To help ensure your Windows 10 devices are activated with an ESU license, here is a quick guide on: * Where to find the Multiple Activation Key (MAK) included with your Windows 10 ESU purchase. * How to activate those licenses on your devices. * How to prepare Windows 10 physical endpoints utilized by users with an active Windows 365 subscription. For complete details on how to prepare your Windows 10 devices, see Enable Extended Security Updates. Activating a Windows 10 ESU license on a physical device Prerequisites for ESU activation To activate the Windows 10 ESU MAK on a device, ensure the following requirements are met: * Windows 10, version 22H2 with KB5066791, or a later update installed * Local administrative privileges required * Devices must be able to reach Microsoft activation endpoints: * https://go.microsoft.com * https://login.live.com * https://activation.sls.microsoft.com * http://crl.microsoft.com * https://validation.sls.microsoft.com * https://activation-v2.sls.microsoft.com * https://validation-v2.sls.microsoft.com * https://displaycatalog.mp.microsoft.com * https://licensing.mp.microsoft.com * https://purchase.mp.microsoft.com * https://displaycatalog.md.mp.microsoft.com * https://licensing.md.mp.microsoft.com * https://purchase.md.mp.microsoft.com Additional endpoints needed for Windows 10 devices accessing Windows 365 Cloud PCs: * https://dls.microsoft.com * https://login.windows.net Locating your Windows 10 ESU Multiple Activation Key Note: You must be assigned either the Product Key Reader or VL Administrator role in the Microsoft 365 Admin Center to view MAK keys.  More information can be found at Manage volume licensing user roles | Microsoft Learn. After ensuring that your account has the necessary admin role: * Sign in to the Microsoft 365 admin center at https://admin.microsoft.com. * Navigate to Billing > Your Products > Volume licensing. * Select View contracts and locate your ESU purchase. * Click View product keys to display all available MAK keys. If you cannot find your organization’s Windows 10 ESU MAK key, contact Microsoft volume licensing support. Activating the ESU license on each device You manage licensing and activation on devices using slmgr.vbs. To activate the ESU key on the client device, you have the following options: * Use a management tool such as Microsoft Intune or Microsoft Configuration Manager to run the script. * Use the Volume Activation Management Tool (VAMT) as a proxy activationserver. * Manually run a command line script on the device. * Activate ESU keys via telephone. For complete details on how to activate an ESU license your Windows 10 devices, see Enable Extended Security Updates. Verifying device licensing and ESU enrollment via MAK To verify that the ESU key is installed and activated, run the following command from an elevated Command Prompt: slmgr.vbs /dlv The output should show the Name of the corresponding ESU program and the License Status as “Licensed” for that program. Windows 365 and Windows 10 ESUs Cloud PCs running Windows 10, version 22H2 in Azure are automatically entitled to Windows 10 ESUs at no additional cost and do not require license activation. If your users connect to a Windows 365 Cloud PC from a physical Windows 10 endpoint, that endpoint may be entitled to ESUs at no additional cost. However, there are some requirements to enable the physical endpoint to receive ESUs: * Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. * Users with a Windows 365 subscription associated with their Microsoft Entra ID must sign in to the Windows 10 endpoint with their Microsoft Entra ID at least once every 22 days. * A policy or registry key must be enabled on each physical device to enable the verification of the Windows 365 subscription. Extended Security Updates for local devices accessing Windows 365 Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365 Frontline Cloud PCs in dedicated mode are automatically entitled to ESU for the duration of the ESU offer if the user has an active Windows 365 Enterprise license assigned or Windows 365 Frontline Cloud PC in dedicated mode provisioned, provided the following conditions are met: * The local Windows 10 device is either Microsoft Entra joined or Microsoft Entra hybrid joined. * Devices that are only Microsoft Entra registered or on-premises Active Directory joined aren't eligible for commercial ESU access with Windows 365. Windows Autopatch enrollment is not a requirement. * Personal or BYOD devices that are not managed by the organization and are only Microsoft Entra registered will not qualify for this entitlement. These devices should be enrolled via the Consumer ESU program. An eligible user can activate up to 10 devices. * Users must sign in to their physical Windows 10 device using the same Microsoft Entra ID account they use for Windows 365 Cloud PCs at least once every 22 days to maintain eligibility for ESU updates on that device. Note: IT administrators must use Microsoft Intune or another MDM provider to deploy a custom policy that enables the EnableESUSubscriptionCheck flag. This policy helps verify whether a device is enrolled in the Windows 10 ESU subscription program. For complete details on how to prepare your Windows 10 devices, see Enable Extended Security Updates. Verifying device licensing and ESU enrollment You can verify that Windows 10 ESU entitlements are assigned to your users’ Windows 10 Cloud PCs and their physical Windows 10 endpoints in these locations: * Windows 365 Enterprise - In the Microsoft 365 admin center, navigate to Billing > Licenses > Windows 365 Enterprise > Assign licenses. The box for "Windows 10 ESU Commercial" should be checked. * Physical Windows 10 endpoints - In the Registry Editor, navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU. There should be a DWORD value for EnableESUSubscriptionCheck. The data should be 1. Or, in the Event Viewer, look for Event ID 113 under Applications and Services Logs > Microsoft > Windows > ClipESU. Note: This event log is specific to the Windows 10 Cloud PC scenario and not MAK key scenarios in general. Azure Virtual Desktop and Windows 10 ESUs Windows 10 ESUs are available at no additional cost for Windows 10 virtual machines in the following Microsoft-hosted or Azure-integrated environments: * Azure Virtual Desktop * Azure virtual machines * Azure Dedicated Host * Azure Local (formerly Azure Stack HCI) * Azure Stack Hub * Azure Stack Edge No additional configuration or keys are needed for these environments. Other virtualization platforms that run on Microsoft Azure, (such as Nutanix, Citrix, or Omnissa Horizon on Azure VMware Solution) may require manual ESU key activation. Contact your Microsoft account team to obtain a 5x5 key. Activation can be managed with the VAMT or with a script. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

  The Windows Platform is evolving—learn the latest Microsoft Ignite 2025 is coming to San Francisco, November 18-21, and we’re excited to share the latest details on everything new in Windows! Whether you’re attending in-person or digitally, we’ve got you covered.   We’ve talked about how we’re helping customers to build AI-enabled, cloud-powered IT platforms that are flexible, secure, and resilient, and this year we’re furthering that vision. At Ignite 2025, you’ll have the opportunity to dig deep into how Windows is becoming the platform for AI experiences that empower you to unlock new levels of productivity and innovation:  * Up your knowledge and skillsets in our in-depth technical breakouts * Gain practical takeaways from theater sessions and demos * Get immersive, hands-on experience in the labs * Swing by the EMU/HUB for live demos, games, and prizes as we celebrate 40 years of Windows — honoring the past and shaping the future!  If you’re joining us in person, Ignite is always a great moment to connect with your professional network of peers, partners and customers as well, so do not miss out—hope to see you there! Featured breakout session Agents at Work: Windows Powers the Era of Intelligent Productivity Tuesday November 18th, 2:30pm-3:15pm PST The future of work is here. See how Windows combines security, adaptability, cloud, and AI to empower organizations and people to create, decide, and grow. Breakout sessions (in person and online) Last year, thousands came together to learn, connect, and discover solutions—showcasing the future of Windows innovation and customer-driven breakthroughs. Don’t miss what’s next! Join these powerful breakout sessions to learn the latest about Windows AI innovation, cloud-powered productivity, enhanced security, seamless device recovery, and groundbreaking Windows 365 features. Agents at Work: Windows Powers the Era of Intelligent Productivity Tuesday November 18th, 2:30pm-3:15pm PST The future of work is here. See how Windows combines security, adaptability, cloud, and AI to empower organizations and people to create, decide, and grow. Unlock the full power of Windows 365 Tuesday November 18th, 1:00pm-1:45pm PST Join us to discover the power of the cloud with Windows 365. Learn how the latest platform improvements and core features deliver strong resiliency and seamless integration with new AI capabilities, exciting feature updates, and the rest of Microsoft ecosystem. Experience user-friendly enhancements designed to boost your productivity and satisfaction. Get practical insights and actionable strategies to help you unlock the full potential of Windows 365.  Unlock efficiencies with Windows 365 Frontline & Cloud PC devices Wednesday November 19th, 1:30pm-2:15pm PST Learn how the latest innovations in Windows 365 Frontline and Cloud PC devices such as Windows 365 Link can boost productivity, strengthen security, and improve end-user experience while helping you optimize IT investments. From manufacturing, to retail, to call centers, discover how new capabilities and offerings for Windows in the cloud including purpose-built devices can unlock efficiencies in shared spaces.  Resilient by design: How Windows has evolved with new recovery tools Thursday November20th, 1:00pm-1:45pm PST Explore advancements in Windows resiliency. Learn about joint efforts with security partners to develop security tools that operate outside the Windows kernel. Get to know new Windows recovery tools and features designed to restore devices efficiently after unforeseen PC incidents. Secure & Manage the Most Productive, Intelligent OS: Windows 11 Tuesday November18th, 5:00pm-5:45pm PST For 40 years, Windows has powered work. Now, Windows 11 redefines productivity and manageability - combining secure-by-design architecture, energy-efficient silicon, and seamless M365 and Copilot integration. As Windows evolves into an agentic OS, it enables smarter workflows with local AI, NPU-accelerated experiences, and new LOB app potential. Join us to explore the future of secure, AI-powered work. What’s new & what’s next in Azure Virtual Desktop Thursday November 20th, 9:45am-10:30am PST Azure Virtual Desktop continues to evolve, helping you enhance management efficiency, scalability, and connectivity for your workloads. Learn about the latest innovations in Azure Virtual Desktop, understand why it is especially attractive to industries like healthcare, and discover how to accelerate your cloud migration with Azure Virtual Desktop. The future of managing updates on Windows Wednesday November 19th, 4:00pm-4:45pm PST Discover best practices for managing updates on Windows. Learn how to enable hotpatch updates, the recommended way to keep devices secure with the latest updates. See how easy it is to use Windows Autopatch for update deployment, management, and (now) update readiness and reporting! We also cover what it means for Windows to be an agentic OS and how you can manage AI capabilities for Windows in your environment today. Theater sessions Check out the theater sessions taking place in the expo hall to quickly grasp complex technical concepts and see product functionalities in action.   Cloud PC devices: Get started with Windows 365 Link and see what's new Wednesday November19th, 4:00pm-4:30pm PST Cloud PC devices such as Windows 365 Link are simple, secure, purpose-built devices for Windows 365 that can help you improve end-user and IT efficiency in shared spaces. Join us to get an overview of the benefits of this solution, discover how to efficiently deploy and manage it using Microsoft Intune, and learn what’s new across end-user and IT experiences.  Get started with Windows 365 Frontline and Cloud Apps Tuesday November 18th, 5:15pm-5:45pm PST Discover how Windows 365, enhanced with Frontline in shared mode and Cloud Apps capability, delivers flexible, secure, and cost-effective solutions tailored for today’s dynamic workforce. Join us to see why Windows 365 is the smart choice to empower your organization’s evolving needs and streamline IT management. Hybrid AI: Unlocking Latency, Privacy & Cost Benefits with Copilot+ PC Tuesday November 18th 3:45pm-4:15pm PST The future of AI is hybrid - running inference on a PC and in the cloud. Discover applications and vertical use cases that leverage local AI through Windows AI Foundry while running on Copilot+ PC, for improved latency, data privacy, and cost. Copilot+ PCs & Microsoft 365: Secure, Smart, Efficient Windows Thursday November 20th, 9:00am-9:30am PST Discover how Copilot+ PCs and Microsoft 365 combine to deliver the most intelligent, secure, performant, and efficient Windows experience. Featuring AI-powered productivity, enhanced security with Microsoft Pluton, up to 22 hours of video playbook, 30% faster device management proactive diagnostics, and data protection in the AI era, ideal for IT leaders optimizing ROI. Future of managing Windows Thursday November 20th, 11:00am-11:30am PST We release new Windows features and enhancements year-round. Learn how to stay up-to-date on what’s coming next in security, productivity, and AI. Learn how to preview features on individual devices, virtual machines, or across your organization so you can deploy the latest features and updates faster and with confidence. We'll also explore how you can engage directly with the product teams with related programs like the Customer Connection Program. Windows in the Cloud: Resilience Meets Productivity Thursday November 20th, 4:00pm-4:30pm PST Disruptions happen—whether from device failures, cyberattacks, or unexpected outages—but downtime doesn’t have to. Join us to learn how Windows in the cloud delivers end-to-end resiliency, and discover how Windows 365 Reserve helps organizations rapidly recover, keep employees productive, and maintain business continuity—even in the face of disruptions. Labs Ignite labs are in high-demand, so please RSVP and arrive 5 minutes before the start time, at which point remaining spaces are open to those on standby.  Manage AI capabilities for Copilot+ PCs and Windows 11 Thursday November 18th, 4:30pm-5:45pm PST Get hands-on experience with enabling and managing AI experiences for Windows. Explore the customizations available to users and the controls available to IT admins. Learn how to use Microsoft Intune or Group Policy to fine-tune popular features like Recall, Copilot, Click to Do, and Image Creator. We’ll also walk through managing privacy and compliance, and end user readiness.  Windows 365 Reserve: Fast, Flexible, and Ready for Anything Tuesday November 18th, 1:00pm-2:15pm PST In this hands-on lab, learn how to deploy secure, on-demand Cloud PCs using Windows 365 Reserve—ideal for travel, recovery, and temporary access. You'll create provisioning profiles, assign Cloud PCs, and configure Conditional Access, Entra ID, and networking. Experience the full user journey from sign-in to productivity. Leave equipped to streamline endpoint readiness with minimal overhead and respond to unexpected needs. Windows 365 Frontline: Explore Dedicated, Shared, Cloud Apps Tuesday November 18th, 2:45pm-4:00pm PST Go from zero to hero in this hands-on lab exploring Windows 365 Frontline. Learn to create and configure Dedicated, Shared, and Cloud Apps environments. Understand when to use each model for shift workers, task-based roles, or app-only access. Walk through provisioning, Entra ID, Intune, and Conditional Access. Experience the user journey and leave ready to optimize for performance, cost, and compliance. Windows 365 AI Lab: Improved Windows Search & Click to Do in action Tuesday November 18th, 4:30pm-5:45pm PST Explore Windows 365 AI in this hands-on lab! Configure and experience features like Advanced Search and Click to Do on Cloud PCs. Learn prerequisites, enable AI-driven workflows, and boost productivity for IT admins and end users. Automate tasks with natural language and take smart, context-aware actions directly from your screen. Windows 365 Deployment Lab: Cloud Native, Zero Trust, Fully Ready Wednesday November 19th, 10:00am-11:15am PST Learn to deploy Windows 365 Cloud PCs using a secure, scalable model. In this hands-on lab, set up provisioning policies, integrate with Microsoft Entra, apply Zero Trust networking, and configure Conditional Access. Experience the full user journey and admin setup. Monitor and manage with ease. Leave with a blueprint to deploy, secure, and scale Cloud PCs efficiently. Online sessions On-demand sessions are 15-45 minutes in length prerecorded sessions that can be watched on demand. Recordings will be available beginning Tues Nov 18th starting at 10am.   Lighting up continuous innovation in Windows 11 On demand Continuous innovation means that we release new features and enhancements for Windows 11 year-round, when they are ready based on quality and reliability. Learn how to stay up-to-date on what’s coming next and set up deployments rings so that you can empower your users with the best experiences, sooner. Windows & Intune: Enabling the Sustainable Enterprise of the Future On demand Discover how Windows and Intune are enabling sustainable IT transformation. Learn how cloud-powered devices, intelligent management, and carbon-aware features help reduce emissions and improve efficiency. Backed by a recent WSP USA analyst report, this session offers data-driven insights and strategies to build a greener, smarter enterprise. In person, in San Francisco If you’re joining us in person at Microsoft Ignite 2025, make the most of your experience by planning ahead and engaging directly with the Windows team!   Don’t miss the chance to stop by our booth in the EMU/HUB, where you can celebrate 40 years of Windows with live demos, games, and exclusive anniversary swag. Take advantage of 1:1 consultations with Windows experts, connect with peers during networking events, and immerse yourself in the latest innovations designed to inspire and empower you throughout Ignite. See the below day by day schedule of all the Windows happenings.  Connect with peers and experts Connect directly with the people building the Windows platform in The Hub at the Expert Meetup area in the main exhibit hall. 1:1 consultations with engineering SMEs are also available. Log in to the Microsoft Ignite site to sign up! After Microsoft Ignite Tech Community Live: Windows edition After catching up on latest Windows platform capabilities, join us for four hours of Ask Microsoft Anything sessions December 2 at Tech Community Live! Save the date and get more details.   --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Editor's note 9.26.2025 – The date for blocking connections has moved. Now connections to Windows 365, Azure Virtual Desktop, and Microsoft Dev Box will be blocked when using the Remote Desktop app starting September 30, 2025. Connections to Remote Desktop Services and remote PC connections will remain unaffected. Editor's note 3.11.2025 – This blog applies only to the Windows App replacement of the Remote Desktop app downloaded from the Microsoft Store. It does not apply to the Remote Desktop client standalone installer (MSI), which can be downloaded from Download and install the Remote Desktop client for Windows (MSI). --- Starting May 27, 2025, the Remote Desktop app for Windows from the Microsoft Store will no longer be supported or available for download and installation. Users must transition to Windows App to ensure continued access to Windows 365, Azure Virtual Desktop, and Microsoft Dev Box. Windows App provides several improvements over the Remote Desktop app for Windows, including: * Unified access to multiple Windows services, including Cloud PCs and virtual desktops from a single, streamlined interface. * Customizable home screens, multimonitor support, and dynamic display resolutions. Enhanced remote work experiences with features such as device redirection, Microsoft Teams optimizations, and easy account switching. Connections to Windows 365, Azure Virtual Desktop, and Microsoft Dev Box via the Remote Desktop app from the Microsoft Store will be blocked after May 27, 2025. For all other users, the Remote Desktop app will no longer be supported. Prepare for the transition Windows 365, Azure Virtual Desktop, and Microsoft Dev Box users: * Get started: Review the get started guide for more information on each platform. * Download Windows App: Windows App can be downloaded from the Microsoft Store or directly from What's new in Windows App. Remote desktop users: Users connecting to remote desktops from the Remote Desktop app should use Remote Desktop Connection until support for this connection type is available in Windows App. Remote Desktop Services users: Users connecting to Remote Desktop Services from the Remote Desktop app should use RemoteApp and Desktop Connection until support for this connection type is available in Windows App. Known issues: To understand if there are current feature gaps that may create challenges for migrating to Windows App, review Known issues and limitations of Windows App. Be sure to check this list over time as the feature gaps will be resolved. Uninstall the Remote Desktop app: For uninstallation methods that align with how you manage your apps, visit our Uninstall your apps and Remove Apps documentation. IT administrators can help prepare their organizations by encouraging users of Remote Desktop app for Windows to start their transition to Windows App, and by updating internal resources such as user guidance, help desk documentation, and administrative materials, as needed. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

4.24.2025: Microsoft 365 Apps running on Windows 10 will continue to receive security updates for three years after Windows 10 end of support. Learn more at Windows 10 end of support and Microsoft 365 Apps. 2.14.2025: This post has been updated to provide clarity and updated information related to the options available for activating ESUs: traditional ESU activation and ESU activation via Windows 365 and Azure Virtual Desktop. 10.31.2024: On November 1, we will begin offering the traditional 5-by-5 Extended Security Update offer through the Volume Licensing price list. The first ESU will be available in November 2025. We’ll share more details on availability of the cloud-based Extended Security Update offer on our price list in the future. 4.2.2024: The details and pricing structure outlined in this post apply to commercial organizations only. Details will be shared at a later date for consumers on our consumer end of support page. Educational organizations can find tailored information about Windows 10 end of support in the Microsoft Education Blog. --- Mark your calendars! By now, you've probably heard that Windows 10 will reach end of support on October 14, 2025 (except certain LTSC editions). If your organization must continue using Windows 10 for part of your device estate after support ends, you can enroll those PCs in the paid Extended Security Update (ESU) program. ESUs allow you to receive critical and/or important security updates for Windows 10 PCs when you need extra time to move to Windows 11. In December, we outlined a plan for Windows 10 end of support with Windows 11, Windows 365, and ESU to help you continue to move forward and keep all your devices protected. Today, let's review your options, including a special offer for those using cloud-based update management. Read on for details! Stay on a supported version of Windows Organizations that run legacy software are at a higher risk of security breaches and potential compliance violations. While Windows 10 PCs will continue to function after they reach end of support, they will no longer receive security updates, bug fixes, feature improvements, or security issue resolutions. Upgrading to Windows 11 or transitioning to a new Windows 11 PC will help you deliver the best, most secure computing experience to your employees—and help protect your organization. With Windows 10 end of support nearing, you have three options to stay on a supported version of Windows: * Upgrade existing eligible PCs that meet Windows 11 hardware requirements. Just use Windows Autopatch or Microsoft Intune! * Purchase new Windows 11 PCs. They offer powerful security features turned on by default, numerous accessibility, productivity, and AI enhancements, and are built for hybrid work. * Migrate to the cloud with Windows 365 or Azure Virtual Desktop. Make Windows 11 available to users on any device. Extended Security Updates are intended to help you make the transition Enrolling in the Windows 10 ESU program enables you to continue receiving monthly security updates for your Windows 10 devices. That way, you have more time to complete your move to Windows 11. Extended Security Updates are not intended to be a long-term solution but rather a temporary bridge. Extended Security Updates do not include new features, non-security fixes, or design change requests. The ESU program does not extend technical support for Windows 10. Technical support is limited to the activation of the ESU licenses, installation of ESU monthly updates, and addressing issues that may have been caused due to an update itself. You can purchase ESU licenses for Windows 10 devices that you don't plan to upgrade to Windows 11 starting in October 2024, one year before the end of support date. Note: The price of the ESU program will double every consecutive year, for a maximum of three years. If you decide to jump into the program in Year Two, you'll have to pay for Year One too, as ESUs are cumulative. Educational organizations can find tailored information about Windows 10 end of support in the Microsoft Education Blog. Two options for Windows 10 Extended Security Updates There are two options for ESUs for your Windows 10 estate: the traditional license using a 5-by-5 activation key or activation as part of your Windows 365 or Azure Virtual Desktop subscription. Traditional ESU activation With the 5-by-5 activation method, you'll download an activation key and apply it to individual Windows 10 devices that you've selected for your ESU program. Manage it via scripting or the Volume Activation Management Tool (VAMT), among other methods. You can use on-premises management tools such as Windows Server Update Services (WSUS) to download and apply the updates to your Windows 10 devices.  The 5-by-5 activation subscription will establish the Year One list price of ESU for Windows 10. This is the base license and will cost $61 USD per device for Year 1, similar to the Windows 7 ESU Year 1 price.[1] It is now available through Volume Licensing and will be available through Microsoft Cloud Solution Provider (CSP) partners beginning September 1. For those organizations using a Microsoft cloud-based update management solution (i.e., Microsoft Intune or Windows Autopatch), there is a special offer.[2]  You can manage and monitor the complete update process in Microsoft Intune or utilize Windows Autopatch to fully automate the update process for you. With Windows Autopatch, there is no required action on your part. Simply check the monthly update reports to understand the status of your environment. This license has a ~25% discount and will cost $45 USD per device for Year 1 and is available through Volume Licensing.[1] For information on how to activate Windows 10 ESU licenses, see Enable Extended Security Updates. ESU through Windows 365 and Azure Virtual Desktop Windows 10 Cloud PCs in Windows 365 and virtual machines in Azure Virtual Desktop are automatically entitled to ESUs at no additional charge.  Additionally, Windows 10 devices accessing Windows 11 Cloud PCs through Windows 365 will automatically be activated to receive security updates without any additional steps. Benefits of cloud-based Windows management Many organizations experience improvements for both employees and the IT organization by shifting Windows endpoint management to the cloud. For example, Westpac, Australia's first bank and oldest company, used Windows Autopatch to upgrade from Windows 10 to Windows 11 Enterprise. The industry-leading banking and financial services company supports more than 40,000 people across diverse locations. For their employees, Windows 11 Enterprise has delivered features that make it easy for them to stay organized and work securely from anywhere. "With Windows Autopatch, we cut deployment time from 90 minutes to 25. So if you apply that across our 40,000+ strong workforce, that's a lot of time saved." - Paul McKenna, Head of Workplace and Contact Centre Infrastructure, Westpac You can learn from others, such as Petrobras, and their Windows 11 migration journeys by visiting the Microsoft Customer Stories site. Simplifying the road to Windows 11 If you need support on your journey to cloud management, take advantage of Microsoft FastTrack or approved partners. FastTrack is a service that helps you move to the cloud faster and with more confidence. It offers free guidance and resources to help you identify and prioritize scenarios, as well as set business goals to measure success as you plan for rollout. It can also include guidance from Microsoft specialists, best practices, and tools. Get it all to help you migrate, deploy, and adopt Microsoft 365 solutions, including Windows 11, Windows 365 and Microsoft Intune. Questions about the solutions that can help? Tune in April 10th to a special edition of Windows in the Cloud on Windows 365, Windows Autopatch, and ESUs! --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A. --- [1] All prices are in US dollars. Regional prices will vary based on foreign exchange rates at the moment of ordering SKUs. [2] There will be special pricing for nonprofits.

Windows updates play a vital role in keeping devices secure, performant, and up to date. To further enrich the user experience, we're introducing a simplified and standardized titling system for a range of updates. This new format is designed primarily with the user in mind. Titles are more intuitive, consistent, and informative to help users quickly understand what updates they're receiving. Enhanced clarity and consistency across update titles The updated titles follow a clear and predictable structure across multiple update types. Each title now refers to the update by a more user-friendly name. It also includes just the most relevant identifiers, such as KB number and build or version. What we omit are the unnecessary technical details like platform architecture or date prefixes. Here are examples of what the updated titles look like: * Monthly or out-of-band security updates: Security Update (KB5034123) (26100.4747) * Monthly preview non-security updates: Preview Update (KB5062660) (26100.4770) * .NET Framework security updates: .NET Framework Security Update (KB5056579) * .NET Framework non-security updates: .NET Framework Preview Update (KB5056579) * Driver updates: Logitech Driver Update (123.331.1.0) * AI component updates: Phi Silica AI Component Update (KB5064650) (1.2507.793.0) Screenshot of the Windows Update page showing that the Preview Update has begun to download. Screenshot of the Update history page indicating the .NET Framework Preview Update has been installed. Scope and compatibility This title simplification applies to: * Windows OS quality updates (monthly security and non-security preview updates) * .NET Framework updates * Driver updates * AI component updates * Visual Studio updates New update names now appear in the following locations common to users: * Settings > Windows Update * Settings > Windows Update > Update history * Windows release health If you deploy updates through Microsoft Update Catalog or Windows Server Update Services (WSUS), most update titles remain unchanged[i] (e.g., 2025-10 Cumulative Update for Windows 11, version 25H2 for x64-based Systems (KB5066835) (26200.6899). Windows feature update titles also remain the same. Small changes that make big differences With this first large-scale improvement in update naming, we hope users at your organization can take advantage of several benefits: * Improved readability for users reviewing updates in Windows Settings or Update history. * Predictable formatting for original equipment manufacturers (OEMs) and partners integrating with servicing tools. The improved titles align with modern user interface (UI) expectations and accessibility standards, supporting security and productivity through reduced ambiguity. [i] Visual Studio update titles are now simplified across all channels as follows: Visual Studio 2022 Security Update (version). --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 delivers Cloud PCs, a complete and secure Windows experience hosted in the Microsoft Cloud that are accessible on any device. Employees, whether full-time, contractors, shift workers, or seasonal staff, can access their personalized Windows apps, settings, desktop, and data from anywhere. This kind of flexibility is part of the beauty of Windows 365 — but with multiple connection options, you might wonder: Which one should I use? Don’t worry, we’ve got you covered. Whether you’re powering up secure shared workstations, re-purposing older devices, or working in a hybrid environment, there’s a way to access Windows 365 that fits your employees’ needs. Users don’t need any special expertise to get started; connecting to a Cloud PC is simple, secure, and delivers the same familiar, local Windows experience they already know and trust. Let’s take a closer look at each option: Windows 365 Link — Simple. Secure. Purpose-built. Ideal for: Desk-based or frontline workers in shared workspaces Experience: Purpose-built to securely connect to Windows 365 in seconds Windows 365 Link is the first Cloud PC device for Windows 365, securely connecting users to Windows in the cloud. This cloud-native solution is secure by design, simple to manage, and performant. Data, identity, and experiences are removed from the endpoint, and security features are on by default and cannot be turned off, significantly increasing its security posture. It’s managed with Microsoft Intune, and its small Windows-based OS minimizes IT admin decision points through a limited set of configuration policies, making management simple and familiar. Employees simply power it on, sign in, and are securely connected in seconds. Windows 365 Boot — Reuse hardware. Maximize flexibility. Connect seamlessly. Ideal for: Repurposed PCs of any form-factor, frontline workers, shared and dedicated devices Experience: Boot directly to your Cloud PC from any Windows 11 device With Windows 365 Boot, users can sign in and go straight to their Cloud PC with a familiar Windows 11 sign-in experience — skipping the local desktop entirely. It’s ideal for shared environments as well as dedicated workstations, where simplicity and a like-local feel are key. Windows 365 Boot is a great choice if you want to reuse existing Windows 11 hardware, deploy mobile laptops, or need maximum flexibility in how devices are configured and managed. Windows 365 Switch — Great at supporting bring-your-own-device (BYOD) programs Ideal for: BYOD, hybrid workers Experience: Seamlessly switch between your local desktop and Cloud PC Windows 365 Switch allows users to move effortlessly between their local Windows desktop and Cloud PC — just like switching apps. There’s no rebooting required, enabling a fast and fluid workflow. It is designed for hybrid users who want to keep their personal and work environment separate, while enabling quick access to both. Fast, familiar, and integrated through the Windows App, this will allow users to seamlessly move between different environments. The Windows App — Access from anywhere Ideal for: Anyone who needs cross-platform access to their Cloud PC Experience: Connect through the Windows App on Windows, macOS, web, or mobile The Windows App provides a single, consistent experience for employees to connect to their Cloud PCs from virtually any device. They can connect in windowed view or full screen mode with support for multiple monitors. Windows App also enables users to connect to other Windows virtualization services, such as Azure Virtual Desktop or Remote Desktop Services, and create PC-to-PC connections. Whether you’re using a Windows PC, Mac, tablet, or phone, you can securely access Windows remotely anytime, anywhere. Which experience is right for your users?   Your priority                                                                                                                Recommended   ___________________________________________________________________________________________________________________________ Deploy a secure and simple-to-manage Cloud PC device  Windows 365 Link  Reuse existing hardware, additional flexibility  Windows 365 Boot  Support hybrid or BYOD users  Windows 365 Switch  Access from anywhere, on any device via an app  Windows App  If you’re looking for strong security and simple, centralized management, Windows 365 Link is the recommended choice. For organizations that need more flexibility in their feature set, such as reusing existing hardware, Windows 365 Boot offers enhanced flexibility and a wider range of features. To explore these options in more detail, visit Compare Windows 365 connection methods on Windows. Windows 365 helps organizations empower every user, on any device, with a secure, high-performance Cloud PC. No matter how you connect, each option offers the same fast, reliable, and familiar Windows experience. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Have you ever needed to remove pre-installed Microsoft Store apps? If so, you might have encountered scripts that break when apps change, making your job more time-consuming. Thanks to your feedback, starting this month, you can remove select provisioned in-box apps using straightforward policy on Windows 11 Enterprise or Windows 11 Education, version 25H2. Custom imaging and complex scripts are no longer required. You’re now more in control of provisioned Microsoft Store apps than ever. Meet the new policy: Remove default Microsoft Store packages from the system. How the new app management policy works Here’s what you need to know about this new policy: * It lets you select from a defined list of preinstalled Microsoft Store apps and remove those apps from Windows 11 Enterprise and Education devices. * It works with Group Policy or your mobile device management (MDM) solution, including Microsoft Intune. * This policy is off by default, so you must explicitly enable it. * Once enabled, enforcement occurs automatically. A cleanup task deprovisions removed packages and local app data is removed from the user’s device. * The policy is applied to the user’s device during any of the following occasions: o   During the out-of-box experience (OOBE) o   When the user signs in after an operating system (OS) upgrade o   When the user signs in after an update to the policy * The policy can be used in conjunction with standard Windows provisioning methods, including Windows Autopilot. However, it’s not specific to or dependent on these methods. Why policy-based removal of apps matters By using a policy to remove preinstalled Microsoft Store apps, you can: * Reduce operational overhead. Drop fragile and manual removal scripts and automate operations. * Create a cleaner, work-ready experience. Provide a Windows experience tailored for your work environment. Policy availability and applicable apps The new policy is now available for devices running Windows 11 Enterprise, version 25H2 and Windows 11 Education, version 25H2. It currently supports removal of the following apps: * Calculator * Camera * Feedback Hub * Microsoft 365 Copilot * Microsoft Clipchamp * Microsoft Copilot (consumer version) * Microsoft News * Microsoft Photos * Microsoft Solitaire Collection * Microsoft Sticky Notes * Microsoft Teams * Microsoft To Do * MSN Weather * Notepad * Outlook for Windows * Paint * Quick Assist * Snipping Tool * Sound Recorder * Windows Media Player * Windows Terminal * Xbox Gaming App * Xbox Identity Provider * Xbox Speech to Text Overlay * Xbox TCUI The list will be updated as appropriate for future releases. Enable in-box app removal via policy This app management policy is available to you via Microsoft Intune settings catalog, configuration service provider (CSP), and Group Policy Object (GPO). To make use of it, you’ll need to enable it and tailor the list of preselected apps to your organization’s requirements. Avoid applying both an Intune and a GPO removal policy to the same device. Recommended: Configure devices with Microsoft Intune  You can use Microsoft Intune to configure devices with a settings catalog policy or a CSP policy. * In Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy to create a settings catalog policy. * Use the following settings: * Category: Administrative Templates\Windows Components\App Package Deployment * Setting name: Remove default Microsoft Store packages from the system * Value: Enabled * Set the toggle to True for each app to remove it. * Assign the policy to the desired group, or groups, of devices. Note: Intune won’t apply this policy to unsupported devices and will instead show a status of “Not applicable” for those devices. You can also configure devices with the RemoveDefaultMicrosoftStorePackages CSP policy. This ADMX-backed policy uses an XML payload to specify which apps to remove. o   Set the value of packages to be removed to True. For example, o   Set the value of packages to keep to False. For example, Use Group Policy To apply the policy to a single device, use the Local Group Policy Editor. For multiple devices joined to Active Directory, create or edit  a GPO and use the following settings: o   Group policy path: Computer Configuration\Administrative Templates\Windows Components\App Package Deployment o   Group policy setting: Remove Default Microsoft Store packages from the system o   Value: Enabled Select the apps to remove from the provided app list. One way to double-check that this policy is active is to check registry keys. The registry keys will have configured values under HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages. Customize app availability for your users today With this new app management policy, you can efficiently deploy changes to the default Microsoft Store apps available on your users’ devices. Empower your organization to be more productive by offering a more tailored user experience. Simplifying device configurations can also help strengthen your security posture and streamline daily operations. And, if you have been manually removing in-box apps because their versions are out of date, you no longer need to! We’ve solved that problem in the latest versions of Windows 11. Your built-in Microsoft Store apps now come updated out-of-the-box. Now is the perfect time to deploy Windows 11 Enterprise or Education, version 25H2, and take advantage of this new management capability.  --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Imagine a workplace where technology doesn’t just support your goals—it anticipates them. AI is moving from the background to the center of the user experience in Windows, fundamentally changing how people interact with PCs. These exciting new capabilities will also play a key role in business, specifically in how employees work, collaborate, and innovate. In a nutshell, Windows 11 is redefining the role of the PC in organizations across the world. While we don’t have new announcements today, this article builds on last week’s Windows 11 update and sets the stage for more information on how Windows is evolving to more effectively empower organizations to innovate, adapt, and thrive in a rapidly changing business landscape driven by AI. Our aim here is to guide you and get you energized for the news coming at Ignite. Windows leads the AI-native shift Windows is evolving into an AI-native platform: secure, scalable, and built for agentic work. With the latest AI features, organizations gain an enterprise-grade foundation where AI powered capabilities operate safely and effectively, unlocking new levels of productivity and business agility. Copilot+ PCs bring this foundation to life with breakthrough performance and native AI experiences, right on the device. Features like Click to Do, streamlined search, and integration of Copilot into Windows settings are designed for commercial reliability. They are either generally available or in Windows 11 Insider Preview Builds. And because these capabilities are built into Windows, you can deploy and manage them using the same trusted tools and controls you rely on today—helping to ensure security, compliance, and readiness at scale. Windows 365 extends this secure, AI-ready environment to the cloud, giving employees access to a Cloud PC – their personalized desktop, apps, settings, and configurations - on any device anywhere, while simplifying IT management for your organization. Windows 365 Cloud PCs are also 20% off for new customers, now through April 30, 2026; learn more here. New interaction models that fit the way you work A key part of last week’s announcements for Windows 11 focused on a new era of interaction for users—making technology more natural and accessible for every worker: * Copilot Voice: Just talk to your PC. Use voice commands to search, get help, and automate tasks, making daily work more intuitive and hands-free. * Copilot Vision: Your PC can see what you see. With Vision, users get real-time, contextual assistance, whether learning a new app, troubleshooting, or collaborating on creative projects. * Copilot Action: Take action - instantly. New features in Windows 11 (coming first to Windows Insiders in Copilot Labs) let Copilot agents perform tasks for users—like opening apps, changing settings, or starting workflows—based on context and intent. * Click to Do: Streamline workflows with a single click. Click to Do empowers you to act instantly, such as scheduling meetings or launching tasks, directly from their workspace. These interaction models open up exciting possibilities for consumers and businesses alike, offering seamless support for voice, touch, and traditional PC input methods to empower everyone. Look for additional details from Microsoft soon on how these innovative features will be made available to organizations around the world. The future of work is already here Windows 11 and AI are designed to make technology feel invisible, so employees can focus on what matters. From intuitive voice commands to contextual assistance, these innovations help your teams move faster, collaborate better, and unlock new levels of creativity. Furthermore, Windows sits at the center of the Microsoft ecosystem, connecting pilot and Microsoft Copilot Studio to enable intelligent workflows for users across the enterprise.1 This deep integration helps your organization reduce complexity, unlock cross-platform intelligence, and deliver seamless experiences across teams and tools. As millions upgrade to Windows 11 and CoPilot+ PCs, AI is becoming a daily reality.2 By embracing these tools now, your organization will be best positioned to amplify human potential, foster trust, and deliver experiences that delight—now and in the future. And this is just the beginning Stay tuned for Microsoft Ignite in November, where we’ll be unveiling even more commercial innovations designed to help organizations transform how they work, secure their data, and empower every employee. The next chapter of Windows and AI is on the horizon, and it’s built for business. The journey starts now, with technology that’s built for people, built for progress, and built for the future. Explore how Windows 11 and AI can transform your business today.   1Microsoft Annual Report 2025 2Business of Apps, Oct 7,2025 --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows 10 reaches end of support on October 14, 2025. A great place to learn about all the Windows 10 Extended Security Updates (ESU) options is in our blog post, When to use Windows 10 Extended Security Updates. In this article, I will provide more detail on the Windows 10 lifecycle for Windows 365 across the following scenarios: * Existing Cloud PCs running Windows 10 * Creating new and reprovisioned Cloud PCs with Windows 10 * How to create a Windows 10 custom image with Extended Security Updates * ESUs for physical PCs that connect to Windows 365 * Microsoft 365 Apps support for Windows 10 * Windows 10 ESU support Existing Cloud PCs running Windows 10 On existing Cloud PCs running Windows 10 22H2 in Azure, ESUs are available at no additional cost—read about the Extended Security Updates (ESU) program for Windows 10 for more information. The ESU program enables PCs to continue to receive critical and important security updates. ESUs will be offered on Cloud PCs running 22H2 when Windows Update or Autopatch is run without requiring any admin action. Updates will be installed based on Windows Update configurations of each Cloud PC and are applied automatically after deployment. Creating new and reprovisioned Cloud PCs with Windows 10 Starting October 14, 2025 the Windows 10 gallery images have been removed and are no longer available to create new provisioning policies. If you still need to create Windows 10-based provisioning policies, please follow the process to create a custom image based on the Azure Marketplace Images that are available until April 14, 2026. Windows 365 provisioning policies that use Windows 10 22H2 gallery images (with or without Microsoft 365 Apps) will continue to work until April 14, 2026. After that date, these images will be retired and no longer available. For any provisioning policies that still reference these images, the image status will change to “out of support” and new provisioning attempts will fail. To learn more, please read Lifecycle policies and end of support for Cloud PC operating systems. The final monthly update to the Windows 365 Windows 10 gallery images will be the Windows 10 October 2025 update. Between October 2025 and April 2026, Cloud PCs created will need to install ESUs to be current. Microsoft recommends switching to Windows 11 for a more secure Windows experience. A Windows 10 22H2 image that contains the October 2025 update will remain published in the Azure Marketplace. This is the same version as published in Volume Licensing and Visual Studio downloads. It does not contain any Windows 365 or Microsoft 365 app customizations. How to create a Windows 10 custom image with Extended Security Updates After April 2026, customers that want to create a Windows 10 image will need to create a custom image and import it into Windows 365. Here’s how: * Create an Azure Virtual Machine using Windows 10 22H2 from Azure Marketplace. *  Note: the last Windows 10 image available is October 2025. * Perform a Windows Update to ensure the latest ESUs are installed. Multiple reboots may be required. * Review support details before installing Microsoft 365 apps. * Follow all instructions for creating and importing custom images into Windows 365. ESUs for physical PCs that connect to Windows 365 If users are connecting to Cloud PCs from Windows 10 physical PCs that are Intune-managed, each physical PC is automatically entitled to receive Windows 10 ESUs. This benefit’s purpose is to extend the life of Windows 10 PCs that do not meet Windows 11 hardware requirements. Note: Physical devices connecting to Windows 365 Frontline Shared and Windows 365 Reserve Cloud PCs are not eligible for free ESUs. Learn more about enabling Extended Security Updates (ESU). Microsoft 365 Apps support for Windows 10 Visit Windows 10 end of support and Microsoft 365 Apps to learn more. Windows 10 ESU support We will determine if the issue pertains to Windows 365 or with Windows 10. If the issue is determined to be with Windows 365, we will support as expected and work towards a resolution to your reported issue. If the issue is determined to pertain to the operating system, we will request/require an attempt to reproduce the same issue on a currently supported version of Windows 11. If that issue is able to reproduce on Windows 11, we will work that issue as it is supported. Once resolved, and if applicable, we can attempt to apply that same solution to the originally reported Windows 10 system. If the Windows 11 solution does not resolve the issue on Windows 10, we would recommend upgrading to Windows 11 as Windows 10 is no longer supported. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Did you know that hotpatch updates are significantly smaller than standard Windows updates? Rather than the larger cumulative packages that take more time to install on devices, hotpatch updates bring faster security and improved productivity. Their smaller size translates to optimized network performance, faster installation, and quicker compliance, among other benefits. Smaller updates, same security, smarter delivery Hotpatch enables devices to receive critical security updates without restarting. Instead of downloading the full monthly update, hotpatch delivers only the in-memory code changes needed to address security vulnerabilities. For several releases, the hotpatch package has been reported to be more than 10 times smaller than the standard cumulative update. Importantly, these significantly smaller packages still maintain the same level of security and compliance. Benefits of smaller updates for your organization Hotpatch updates don’t just save time. They drive business continuity by ensuring that users remain secure and productive, without disruption. By reducing update sizes, hotpatch unlocks new levels of efficiency: * Optimized network performance: Reduced download sizes result in lower bandwidth consumption, easing the load on corporate networks. Fewer megabytes travel across your network to allow large fleets to update smoothly without spikes in WAN usage. * Sustainability benefits: Smaller updates reduce energy consumption tied to downloading updates, reducing the carbon footprint significantly. * Faster security compliance: Smaller updates are faster to install and therefore help you achieve security compliance more quickly. These efficiency boosters add to the general benefit that hotpatching installs in the background with no interruption or restarts for increased user and IT productivity. Why is the hotpatch size smaller than standard cumulative update? Standard Windows cumulative updates are designed to be comprehensive. Each package contains not only the latest security fixes but also quality and feature updates, along with security and feature updates from previous releases. This way, any device can get fully up to date from a single package. But this also makes the update larger in size. Hotpatch takes a leaner approach: * Security-only updates: Hotpatch focuses exclusively on delivering security fixes, rather than combining them with quality and feature updates. This narrower scope significantly reduces package size. * Incremental model: Whereas standard updates carry forward all the past fixes and features, hotpatch updates build only on top of the most recent quarterly baseline update. Each hotpatch package contains only the incremental security changes for the specific months, within the current quarter. Note: If a device has been disconnected for a long time, expect its next update to be larger. First, it will receive the latest baseline, which would be the standard cumulative update, followed by the hotpatch update. What your hotpatching calendar looks like * Baseline update: Delivered on the first month of each quarter (January, April, July, and October). This is the same composition and size as the standard cumulative update. This update is released on the second Tuesday of the month. * Hotpatch updates: Delivered on the two months following the baseline update. Devices receive only incremental, security patches that are installed without a restart. These updates also get released on the second Tuesday of the month.  Find the detailed hotpatch release cycle here. Looking ahead With reduced patch sizes and fewer restarts, you can join thousands of enterprise customers in achieving your security compliance faster and focusing more on innovation. Hotpatch is part of the Microsoft commitment to simplify and modernize update management. Discover related resources to start with hotpatching today: * Check if your organization is ready for hotpatch updates. * Has your question already been asked? See Hotpatch for client: Frequently asked questions. * Learn about Windows Autopatch required to create and deploy hotpatch updates. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Are you a new Windows developer or looking to skill up on the latest in AI? This skilling snack is for you! Start at the top to learn about Windows Machine Learning (ML)—now generally available—or skip down to the resources that meet your current needs. Time to learn: 73 mins Get started with Windows Machine Learning (ML) * Windows ML is generally available: Empowering developers to scale local AI across Windows devices (10 mins): Ready to scale local AI across Windows devices? Learn how to build AI experiences that are more responsive, private, and cost-effective. Watch this one-minute video teaser for a quick introduction. * Introducing Windows ML: The future of machine learning development on Windows (10 mins): Preview Windows ML to create AI-infused applications with ease. It’s a cutting-edge runtime optimized for performant on-device model inference and simplified deployment with the foundation of Windows AI Foundry. * What is Windows ML (4 mins): Visit our technical documentation to learn more about how Windows ML works and what you’ll need to start using it. Get introduced to execution providers (EPs) and learn about automatic EP management for different hardware (CPUs, GPUs, and NPUs). * Get started with Windows ML (3 mins): Review your device and language-specific prerequisites before using Windows ML. Follow steps to install or update the Windows App SDK depending on whether you use C#, C++, or Python. Then download and register EPs. The latest from Microsoft Build * An IT pro’s guide to Windows at Microsoft Build 2025 (5 mins): Get a summary and links to on-demand sessions on developing with and for Windows. * Advancing Windows for AI development: New platform capabilities and tools introduced at Build 2025 (23 mins): See how Windows is becoming a better dev box for AI development. Find out about Windows AI Foundry, Windows ML, AI APIs, Model Context Protocol (MCP), improvements to Windows Developer tools, security, and more. Watch this one-minute video teaser! Additional resources for AI development in Windows * Copilot+ PCs developer guide (11 mins): This updated guidance for developers now includes Windows ML! Find out about device prerequisites, considerations for different silicon chips, unique AI features, and other helpful tips. * Windows AI Foundry (time varies): Bookmark this gateway to all things Windows AI Foundry as a unified, reliable, and secure platform. It supports the AI developer lifecycle from model selection, fine-tuning, optimizing, and deployment across CPU, GPU, NPU, and cloud. * Securing the Model Context Protocol: Building a safer agentic future on Windows (7 mins): Learn about MCP as a foundational layer of secure, interoperable agentic computing, currently in preview. Review the requirements, possibilities, and security controls that MCP covers for hosts, clients, and servers. What are you most excited about building next? Have you tried Windows ML yet? Leave us a comment below and share these resources with your peers! The Windows skilling snacks library has more on Windows and AI, as well as other topics of interest. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.