Today I’m pleased to announce that Windows 365 is now available in the New Zealand North region, bringing Cloud PCs even closer to our customers around the world. With this expansion, organizations in and around New Zealand can benefit from lower latency, improved performance, and local data residency, all delivered through our trusted Microsoft Cloud. This new region strengthens our global coverage and supports customers who need to keep data within national borders, meet industry or government compliance expectations, or simply provide their workforce with a faster, more consistent Cloud PC experience. Enabling Windows 365 in New Zealand North reinforces our commitment to supporting local digital transformation and helping organizations of all sizes deliver secure, flexible, cloud‑powered computing, without the constraints of physical hardware. As more customers adopt Windows 365 to modernize their workforce, this new region ensures they can do so with the performance, reliability, and sovereignty that’s expected from Microsoft.   Recommended next steps Below are a few actions to help you take advantage of Windows 365 availability in New Zealand North, depending on how your provisioning policies are configured. Microsoft Hosted Network (MHN) customers MHN customers can start benefiting from the New Zealand North region right away. Because Microsoft manages the networking for you, choosing the Australasia geography where New Zealand North has been added to lets the service optimize Cloud PC placement automatically for performance and resilience. To enable the New Zealand North region: * Learn more about how Microsoft Hosted Network improves resiliency and regional coverage. * Configure provisioning policy to use the Australasia geography > New Zealand region group > New Zealand North region. * Ensure you select “Auto select new region groups” and “Auto select new regions” so Windows 365 can dynamically choose the best region available. Azure Network Connection (ANC) customers If you're using ANC, you remain in control of your network topology. To use the New Zealand North region, your environment will need a quick validation or update. To enable the New Zealand North region: * Review the Azure Network Connection documentation. * Confirm your ANC setup supports New Zealand North, including virtual networks and necessary service endpoints. * Once ready, adjust your provisioning policies to target New Zealand North. Explore more about Windows 365 With New Zealand North now available, this is the perfect time to bring Cloud PCs closer to your users. Start provisioning in the new region and give your organization the performance and resiliency benefits immediately.  To explore configuration options and learn more about what’s possible next, head over to the Windows 365 documentation.    --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A. 

Windows continually works in partnership with our OEMs and IHVs to support new device innovations. Windows 11, version 26H1 is a targeted release that supports some of the new device innovations coming in 2026. That means that this release is not being made available through broad channels but is only intended for those who purchase these new devices. At this time, devices with Qualcomm Snapdragon® X2 Series processors will come with Windows 11, version 26H1. Organizations should continue to purchase, deploy, and manage devices running broadly released versions of Windows 11 (e.g. versions 24H2 and 25H2) with confidence. Windows 11, version 26H1 is not a feature update for version 25H2. There is no need to pause device purchases or OS deployments, and no changes required to existing enterprise rollout plans. Windows will continue to have annual feature updates in the second half of the calendar year. Windows 11, version 26H1 is a scoped release * Windows 11, version 26H1 will only be available on new devices with select new silicon as they come to market in early 2026. * Windows 11, version 26H1 is not offered as an in-place update from Windows 11, version 24H2 or 25H2 on existing devices. * There is no impact to devices already in market today. * Devices running Windows 11, version 26H1 will continue receiving monthly updates for security, quality, and new features, the same as devices running Windows 11, versions 24H2 and 25H2. * Devices running Windows 11, version 26H1 will not be able to update to the next annual feature update in the second half of 2026. This is because Windows 11, version 26H1 is based on a different Windows core than Windows 11, versions 24H2 and 25H2, and the upcoming feature update. These devices will have a path to update in a future Windows release. * Windows 11, version 26H1 does not support hotpatch updates. * Windows 11, version 26H1 security updates will be manageable through typical tooling – Windows Autopatch, Microsoft Intune, Microsoft Configuration Manager, etc. This approach allows Windows to support the development of new hardware capabilities while protecting the stability and predictability that commercial customers rely on in production environments. What this means for IT planning For IT admins planning refreshes, rollouts, or purchases, Windows 11, versions 24H2 and 25H2 remain the recommended releases for enterprise deployment at this time. * New PCs being released with Windows 11, versions 24H2 and 25H2 are fully supported and continue to receive monthly security and quality updates following the official support lifecycle policy. * For organizations with homogenous environments, those who prioritize standardization, long deployment windows, and large volume management, Windows 11, versions 24H2 and 25H2 remain the right choices. You'll always have a path to the next annual release when you follow the predictable H2 update cadence. * Early adopters who wish to take advantage of the full benefits of new hardware platforms may evaluate Windows 11, version 26H1 selectively — without disruption to the rest of their estate. For instructions on how to check, see Windows 11, version 26H1 update history. In short: Windows 11, version 26H1 should not impact your current Windows deployment and purchasing strategy. There is no benefit to waiting or deferring plans based on version 26H1, unless you are specifically targeting adoption of devices with silicon that requires such. Our ongoing commitment We remain committed to: * Predictable servicing and lifecycle policies * Clear communication when action is required * Strong backward compatibility * Minimal disruption to enterprise operations If and when a Windows release requires changes to deployment planning or management practices, we will communicate that clearly, directly, and with sufficient runway. We'll continue to deliver updates through the same servicing model you rely on today. We'll keep you informed as Windows evolves and continues to improve performance and battery life for both existing and new devices.   --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Welcome to the January 2026 Windows news you can use, including new capabilities in Windows Backup for Organizations and Windows 365. Coming up on February 5, there will be another Secure Boot AMA, so please tune in to get answers to your questions. Then, on Mondays in March, join us for deep dives, AMAs, and more at Microsoft Technical Takeoff for Windows and Microsoft Intune. Check out the full schedule and start adding sessions to your calendar. Now, let's get started with the latest news you can use. New in Windows update and device management * [BACKUP] [RESTORE] – Windows Backup for Organizations is expanding to include a new restore experience at first sign-in. In early 2026, Windows 11 users will be able to restore their Windows settings and Microsoft Store app list at the very first sign-in. Even on Microsoft Entra hybrid join devices and multi-user setups. * [UPDATES] [OOBE] – Starting with the January 2026 security update, the ability to install Windows quality updates during the out-of-box experience (OOBE) will no longer be enabled by default in Microsoft Intune. * [WINDOWS 365] – Windows 365 is now available in the Brazil South region. Your organization can now provision Cloud PCs closer to your users in Brazil and across South America, helping reduce latency and support regional data residency requirements. * [INTUNE] – Get insights from the experts by watching last week's Intune edition of Tech Community Live, now available on demand. Learn how to secure endpoints with policy and Microsoft Defender, manage apps, and apply Zero Trust best practices when managing devices in Intune. New in Windows security * [NETWORK] [ACCESS] – Windows is moving toward a more secure authentication model by phasing out New Technology LAN Manager (NTLM) in favor of stronger, Kerberos‑based alternatives. Get familiar with the phased roadmap for NTLM disablement and tools that will help prepare your organization for this change. * [WINDOWS HELLO] – The January 2026 optional non-security update starts the gradual rollout of support for peripheral fingerprint sensors with Windows Hello Enhanced Sign-in Security (ESS). * [SECURE BOOT] – The Secure Boot playbook has been updated to make it easier to identify the steps and tools to help you proactively update Secure Boot certificates across your estate before they start expiring in June of 2026. Have questions? Post them now then tune in for the Secure Boot AMA on February 5, 2026 at 8:00 AM PT. * [SECURE BOOT] [INTUNE] – You can now deploy, manage, and monitor Secure Boot certificate updates using Microsoft Intune. Step-by-step guidance is now available and has been added to the Secure Boot playbook for easy reference. Additionally, a new Secure Boot status report is now available in Windows Autopatch. * [SECURE BOOT] [WINDOWS UPDATE] – Starting with the January 2026 security update, Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment. * [DATA PROTECTION] – With the January 2026 optional non-security update, IT admins can now set how often Data Protection Application Programming Interface (DPAPI) domain backup keys rotate automatically. This strengthens cryptographic security and reduces reliance on older encryption algorithms. * [VIRTUALIZATION] [CLOUD PC] – A unified, policy-driven way to control which RDP Shortpath modes (Managed, Public/STUN, Public/TURN) are enabled across Azure Virtual Desktop session hosts and Windows 365 Cloud PCs is now available. Explore RDP Shortpath configuration via Group Policy or Microsoft Intune. * [M365] – Starting February 9, 2026, Microsoft will continue to ramp up enforcement, and users will be unable to sign in to the Microsoft 365 admin center without successfully completing multifactor authentication. * [WDS] – Starting with the January 2026 security update, you can explicitly disable WDS hands-free deployment with the help of new Event Log alerts and registry key options. In April 2026, hands-free deployment will be disabled by default. After that date, it will no longer work unless explicitly overridden with registry settings. New in AI * [WINDOWS 365] – Windows 365 for Agents introduces a set of capabilities that make it possible to run autonomous AI agents securely on Cloud PCs. Enhancements will help you automate complex tasks, reduce idle costs, and ensure trust in autonomous operations. To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by "Copilot+ PC Exclusives." New in productivity and collaboration Install the January 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities. * [START MENU] – The redesigned Start menu continues its gradual rollout to Windows devices. As the rollout progresses, more Windows devices will receive the redesigned Start menu experience. New features and improvements are coming in the February 2026 security update. You can preview them by installing the January 2026 optional non-security update for Windows 11, version 25H2 and version 24H2. This update includes the gradual rollout of: * [MOBILE] – Cross‑Device Resume is expanding to include the ability to continue activities from your Android phone on your PC based on the apps and services you use, including resuming Spotify playback, working in Word, Excel, or PowerPoint, or continuing a browsing session. * [NARRATOR] – Narrator now gives you more control over how it announces on‑screen controls. You can choose which details are spoken and adjust their order to match how you navigate apps. * [VOICE ACCESS] – Voice Access setup has been streamlined to make it easier to get started. The redesigned experience helps you download a speech model for your chosen language, select your preferred input microphone, and learn what Voice Access can help you do on your Windows PC. You can also now adjust the amount of delay before a voice command runs. * [AUDIO] – Windows now offers enhanced support for MIDI 1.0 and MIDI 2.0, including full WinMM and WinRT MIDI 1.0 support with built-in translation, shared MIDI ports across apps, custom port names, loopback, and app-to-app MIDI. * [SETTINGS] – The Device card on the Settings home page appears when you sign in with your Microsoft account. It now shows key specifications and usage details for your PC. * [COPILOT+ PC] – The Settings Agent now supports more languages, with expanded support for German, Portuguese, Spanish, Korean, Japanese, Hindi, Italian, and Chinese (Simplified). New for developers * [APPS] [TOOLS] – The Windows App Development CLI (winapp) is now available in public preview. It's a new open-source command-line tool designed to simplify the development lifecycle for Windows applications across a wide range of frameworks and toolchains. New in Windows Server For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes. * [ACTIVE DIRECTORY] – Guidance is now available to help mitigate potential threats to Active Directory Domain Services, including authentication relay attacks, Kerberoasting, and unconstrained delegation. * [KERBEROS] – The first phase of protections designed to address a Kerberos information disclosure vulnerability are now available. They include new auditing and optional configuration controls that help reduce reliance on legacy encryption types such as RC4 and prepare domain controllers. * [REMINDER] – Starting with the January 2026 security update, Windows Server 2025 updates and release notes have their own KB identifiers and build numbers. These identifiers are separate from those for Windows 11, versions 24H2 and 25H2. This change improves clarity for administrators. Installation and management processes remain the same. Out-of-band updates Two out-of-band updates were released in January: * January 17, 2026 – Out-of-band update to address sign-in failures during Remote Desktop connections * January 24, 2026 – Out-of-band update to address cloud‑backed storage application issues Lifecycle milestones Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025. Additional resources Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources: * Windows Roadmapfor new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name * Microsoft 365 Copilot release notesfor latest features and improvements * Windows Insider Blogfor what's available in the Canary, Dev, Beta, or Release Preview Channels * Windows Server Insiderfor feature preview opportunities * Understanding update history for Windows Insider preview features, fixes, and changesto learn about the types of updates for Windows Insiders Join the conversation If you are an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting. Finally, we are always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you! --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Four Mondays. Dozens of Windows and Windows‑in‑the‑cloud deep dives. One perfect chance to skill up. Microsoft Technical Takeoff is back for 2026—and if you're focused on Windows, Windows 365, or Azure Virtual Desktop, this year's lineup is packed with practical demos, real‑world insights, and direct access to engineering teams to help you deploy faster, recover smarter, protect better, and optimize with confidence. What is Tech Takeoff? Microsoft Technical Takeoff is a free, technical skilling event that takes place on the Microsoft Tech Community. Our engineering PMs across Windows and our Windows‑in‑the‑cloud experiences have once again been hard at work—building deep dives, crafting demos, and shaping guidance designed to help you confidently configure, roll out, manage, and support the features your organization relies on to stay secure, productive, and resilient. This year's lineup reflects months of collaboration across engineering teams, all with one goal in mind: giving you clear, actionable insights you can put to work right away. But as always, Technical Takeoff isn't just about what we've built—it's about you. Throughout every session, our engineering and product teams will be live in the chat, answering questions as they come in—and continuing to monitor discussions throughout the week. So post early, post often. Whether you're looking for troubleshooting help, implementation advice, or clarity on what's coming next, we're here and ready to dive in with you. That's the heart of Technical Takeoff: learning together, solving real problems, and helping you deliver great Windows experiences at scale. Windows sessions at Tech Takeoff 2026 Below is an easy guide to all Windows‑focused sessions, organized by date. Click into any session page to Add to Calendar, save your spot (click Attend), and post your questions in the Comments. Engineering teams will be answering live during the session and then monitoring for additional questions throughout each week. Monday, March 2 * 7:00 AM PT – Let's talk Windows and Intune: 2026 edition * 7:30 AM PT – The latest in Windows 11 security * 8:00 AM PT – Uplevel business continuity with Windows 365 Reserve * 8:30 AM PT – Hotpatch updates demystified: answers to real-world questions * 10:30 AM PT – Eliminating NTLM in Windows * 11:30 AM PT – Resiliency with Windows 365 and Azure Virtual Desktop Monday, March 9 * 7:00 AM PT – The latest in security for Windows 365 and Azure Virtual Desktop * 7:30 AM PT – Secure Boot certificate updates explained * 8:30 AM PT – Ready day one: how to get Windows users up and running fast * 9:30 AM PT – Windows 365 reporting and monitoring updates * 10:00 AM PT – Least privilege on Windows with Endpoint Privilege Management * 10:30 AM PT – Windows 365 Frontline expands with Cloud Apps and more * 11:00 AM PT – From panic to productive: point-in-time restore in Windows Monday, March 16 * 7:00 AM PT – Why smarter Windows management starts with Intune * 7:30 AM PT – Real-time reporting with Windows Autopatch update readiness * 8:00 AM PT – User experience updates: Windows 365 Boot and more * 10:30 AM PT – App Control for Business: same roots, new playbook * 11:30 AM PT – Migrating from VDI to Windows 365 Monday, March 23 * 7:00 AM PT – Powering protection: what's new in Windows hardware security * 7:30 AM PT – Zero Trust DNS: Securing Windows one connection at a time * 8:00 AM PT – Secure and manage AI and agentic capabilities in Windows * 8:30 AM PT – Deploy and manage Windows 365 with Microsoft Intune * 9:30 AM PT – Azure Virtual Desktop for hybrid environments * 10:00 AM PT – Protect users, stop attacks: Passkeys on Windows * 10:30 AM PT – AMA: AI and agentic features for Windows 365 * 11:00 AM PT – Transitioning to post-quantum cryptography * 11:30 AM PT – Resilience for the modern era: Windows quick machine recovery We want to hear from you The IT community shapes this event as much as the speakers do. What's top of mind for you today? What challenges are slowing you down, and where can we offer clarity, shortcuts, or direction? Which enhancements, policy improvements, or optimizations would make your day‑to‑day Windows management easier? Your questions and feedback help guide our product roadmaps and help us identify topics for future tech skilling videos and community events. Technical Takeoff is one of our favorite opportunities to hear from you directly—so don't be shy. Tune in live and talk with us! Bookmark https://aka.ms/TechnicalTakeoff to see the full agenda and check out What's in store for Intune at Microsoft Technical Takeoff 2026. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows is moving toward a more secure authentication model by phasing out New Technology LAN Manager (NTLM) in favor of stronger, Kerberos‑based alternatives. Let’s look at enhanced auditing and upcoming tools to help prepare your organization for disabling NTLM by default. The evolution of Windows authentication For more than three decades, NTLM has been part of Windows authentication. It is a legacy authentication protocol that uses challenge-response verification for access to network resources, most often as a fallback when Kerberos is unavailable. NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users. However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography. Microsoft is committed to helping your organization transition to stronger authentication mechanisms. In this post you’ll find a long-term roadmap to reduce, restrict, and ultimately remove NTLM from Windows. The importance of moving from deprecation to disabling NTLM Today, NTLM is classified as deprecated. Deprecated features remain available, but no longer receive updates or enhancements and may be removed in a future release. Despite its deprecated status, NTLM continues to be prevalent in environments where modern protocols, such as Kerberos, are not feasible due to legacy dependencies, network limitations, or ingrained application logic. The ongoing use of NTLM exposes organizations to the following risks: * No server authentication * Vulnerability to replay, relay, and pass-the-hash attacks * Weak cryptography * Limited diagnostic data and auditing visibility (until recently) It is now time to transition from deprecation to disabling NTLM by default in upcoming Windows releases. While the overarching objective is to eventually remove NTLM entirely, a phased strategy enables you to mitigate NTLM-related risks in a secure and predictable manner, without disrupting your organization. A phased approach that meets you where you are The roadmap below presents a three-phased approach toward this goal. Important: Timelines and feature availability outlined in this post are subject to change as engineering schedules evolve. With each phase come new capabilities so that your organization has the tools, visibility, and compatibility support needed before NTLM becomes disabled by default. Let’s take a closer look at each phase. Phase 1: Building visibility and control Available now, enhanced NTLM auditing helps your organization understand exactly where and why NTLM is still being used in your environment. This is the foundation of any NTLM migration effort. You can use it today with Windows Server 2025 and Windows 11, versions 24H2 and later. For additional guidance, see Disabling NTLM. Phase 2: Addressing the top NTLM pain points Here is how we can address some of the biggest blockers you may face when trying to eliminate NTLM: * No line of sight to the domain controller: Features such as IAKerb and local Key Distribution Center (KDC) (pre-release) allow Kerberos authentication to succeed in scenarios where domain controller (DC) connectivity previously forced NTLM fallback. * Local accounts authentication: Local KDC (pre-release) helps ensure that local account authentication no longer forces NTLM fallback on modern systems. * Hardcoded NTLM usage: Core Windows components will be upgraded to negotiate Kerberos first, reducing instances on NTLM usage. The solutions to these pain points will be available in the second half of 2026 for devices running Windows Server 2025 or Windows 11, version 24H2 and later. Phase 3: NTLM disabled by default In the next major Windows Server release and associated Windows client releases: * Network NTLM will be disabled by default. * NTLM usage will require explicit re-enablement through new policy controls. * Support for handling NTLM only cases will be built-in, reducing application breakage. Examples include accessing targets with unknown SPNs, authentication requests made using IP addresses, local accounts on domain joined machines, and new NTLM blocking policies. But what does ‘NTLM disabled by default’ really mean? Disabling NTLM by default does not mean completely removing NTLM from Windows yet. Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically. The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release). Note: While Microsoft continues to work toward NTLM-independent Windows, during phase 3, NTLM will remain present in the OS and can be explicitly re-enabled via policy if you still need it. This approach balances meaningful security improvements while maintaining a supported and phased transition as you move away from NTLM. Our commitment to a secure, compatible transition Disabling NTLM represents a major evolution in Windows authentication, and a critical step toward a passwordless, phishing resistant future. That is why we are committed to providing clear communication of timelines and expectations, and a phased transition with opt-in/opt-out controls. Our phased roadmap is designed to give every organization clear, predictable steps to prepare for default NTLM disablement in Windows. If your organization is beginning or accelerating its NTLM reduction efforts, now is the right time to engage your identity, security, and application owners to take concrete steps: * Deploy enhanced NTLM auditing to identify where NTLM is still used. * Map dependencies across applications and services, and prioritize remediation. This may include reaching out to application developers to update critical applications. * Migrate and validate that critical workloads succeed with Kerberos. The capabilities that will be released in the second half of 2026 will significantly expand the scenarios where you can use Kerberos successfully. * Begin testing NTLM-off configurations in non-production environments. * Enable Kerberos upgrades as they become available through the Windows Insider Program, and then more broadly later this calendar year. These actions will help you surface gaps early and prepare for NTLM being disabled by default and ultimately removed in future Windows releases. We will continue to publish updated documentation, migration guides, and scenario specific instructions as new capabilities enter flighting or reach general availability later this calendar year. If you discover unique or hard-to-mitigate scenarios where NTLM is still being used, please reach out to ntlm@microsoft.com. These insights help us validate edge cases and ensure our features fully support real-world environments. --- Securing the present, innovating for the future Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience. Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website. Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. You can also follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.

We are pleased to announce the general availability (GA) of centralized RDP Shortpath configuration using Microsoft Intune and Group Policy (GPO). This update gives IT administrators a unified, policy-driven way to control which RDP Shortpath modes (Managed, Public/STUN, Public/TURN) are enabled across Azure Virtual Desktop (AVD) session hosts and Windows 365 Cloud PCs. These Shortpath controls now map directly to registry-backed policies, so IT admins can easily maintain consistent behavior across large or distributed environments. RDP Shortpath provides multiple optimized UDP-based transport paths—Managed, Public/STUN, and Public/TURN—that improve connection performance and reliability across diverse network environments. These options collectively form the RDP Shortpath feature set, and we recommend keeping them all enabled so the best path can be selected automatically. However, if your organization requires stricter control—for example, disabling STUN based traversal to ensure traffic flows only through TURN’s dedicated port and subnet—admins now have the policy-driven flexibility to do so through centralized configuration. Organizations using Windows 365 and AVD have asked for stronger policy-governed control over Shortpath behavior—especially as network environments grow more complex. With this release, admins: * No longer need per-host manual configuration. * Gain predictable, enforced behavior across managed devices. * Can centrally govern Shortpath modes based on security, NAT topology, or network readiness. This release brings Shortpath into the same modern management motion that customers already use for Windows configuration, compliance, and security. Benefits of centralized Shortpath configuration Unified policy management across AVD and Windows 365 Admins can centrally control all three Shortpath modes through GPO or Intune, which directly writes the relevant registry-backed configuration on each session host. This ensures consistent and governed behavior across all devices. Operates in addition to AVD host pool configuration For Azure Virtual Desktop, these GPO and Intune configurations act in addition to host pool network settings. This gives admins an extra layer of control at the session host level. When both host pool settings and policies are configured, the session-host policy takes precedence, ensuring deterministic behavior. This layering model is reinforced in internal discussions where session host configuration remained necessary in cases such as enabling UDP listener paths.   Important! The settings described in this article update registry-backed policies that enable or disable RDP Shortpath modes. Network prerequisites must still be in place (UDP allowed; STUN/TURN endpoints reachable) for connections to succeed. After policies apply, restart the session hosts or Cloud PCs for changes to take effect. See Optimization of RDP documentation for more detail.   Configuring RDP Shortpath using Intune To enable the RDP Shortpath listener on your session hosts using Microsoft Intune:   * Sign in to the Microsoft Intune admin center. * Create or edit a configuration profile  for Windows 10 and later devices, with the Settings catalog profile type. * In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > RDP Shortpath. * Expand the Administrative Templates category. * For each RDP Shortpath type, toggle the setting to Enabled or Disabled. * Enabled or Not Configured: The connection will attempt to use the specified network path. * Disabled: The connection will not use this network path. * Available RDP Shortpath types: * RDP Shortpath for managed networks using NAT traversal * RDP Shortpath for public networks using NAT traversal * RDP Shortpath for public networks using Relay (TURN) * Select Next. * Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.  * On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next.  * On the Review + create tab, review the settings, then select Create. * Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.  Configuring RDP Shortpath using Group Policy (GPO) in an Active Directory domain To configure the RDP Shortpath using Group Policy in an Active Directory domain:  * Make the administrative template for Azure Virtual Desktop available in your domain by following the steps in Use the administrative template for Azure Virtual Desktop.  * Open the Group Policy Management console on a device you use to manage the Active Directory domain.  * Create or edit a policy that targets the computers providing a remote session you want to configure.  * Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > RDP Shortpath.   * Review the available RDP Shortpath types:  * RDP Shortpath for managed networks using NAT traversal   * RDP Shortpath for public networks using NAT traversal   * RDP Shortpath for public networks using Relay(TURN)   * Double-click the policy setting Enable RDP Shortpath for managed networks to open it.  * Set the policy to Enabled or Disabled:   * Enabled or Not Configured: The connection will attempt to use the specified network path.  * Disabled: The connection will not use this network path.  * Ensure the policy is applied to the session hosts, then restart them for the settings to take effect.  Note After you configure the GPO policy, restart the session to ensure the changes take effect. Summary The GA of RDP Shortpath configuration via GPO and Microsoft Intune gives administrators:  * Stronger policy-governed control  * Deterministic Shortpath behavior  * A layered model that works with AVD host pool configuration  * A consistent management experience across Windows 365 and AVD  While these policy settings simplify administration, network prerequisites still determine whether Shortpath will successfully establish.  We welcome your feedback and hope these enhancements help streamline your connectivity strategy across Windows 365 and Azure Virtual Desktop environments.    Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

Today, we’re pleased to announce that Windows 365 is now available in the  Brazil South region. Organizations can now provision Cloud PCs closer to their users in Brazil and across South America, helping reduce latency and support regional data residency requirements. With this update, Brazil South joins the list of supported Azure regions for Windows 365, giving IT teams greater flexibility in how they deploy and scale Cloud PCs. Note: Brazil South was previously available only through an exception process. With capacity now in place to support all customers, the region is now fully open for general availability. To take advantage of Brazil South and future regional expansions, we recommend configuring your provisioning policies at the geography level using  Multi‑Region Selection. This automatically places Cloud PCs in the best available region within the selected geography, improving resiliency and ensuring users always land on the optimal regional capacity. Recommended next steps Below are the tailored steps depending on the networking model your organization uses. If you use Microsoft Hosted Network (MHN) Microsoft Hosted Network is the simplest way to gain immediate benefits from new regions such as Brazil South. Microsoft manages all network placement decisions, so selecting a geography ensures your Cloud PCs are kept within the best available region automatically. Steps: * Review the documentation on enhanced resiliency with Microsoft Hosted Network. * Configure provisioning policies to use Geography (for example, “South America”). * Use automatic region selection for the most flexibility and scalability. If you use Azure Network Connection (ANC) Azure Network Connection customers continue to maintain control over networking and may need to update configurations to use Brazil South. Steps: * Review the documentation on Azure Network Connection. * Ensure your ANC supports the Brazil South region, including virtual network availability and required endpoints. * Update provisioning policies to select Brazil South or a broader region group once your network configuration is validated. Get started You can now provision Cloud PCs in Brazil South using your existing provisioning workflows. To learn more about configuration options, resiliency, and future regional expansion, visit the Windows 365 documentation. Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Exciting news! Windows Backup for Organizations is expanding to include a new restore experience at first sign-in. In early 2026, Windows 11 users will be able to restore their Windows settings and Microsoft Store apps at the very first sign-in. Even on Microsoft Entra hybrid joined, multi-user setups, and Windows 365 Cloud PCs. Learn more and sign up to preview it today. What's new in Windows Backup for Organizations? Windows Backup for Organizations enables you to streamline your transition to the latest version of Windows by securely preserving Windows settings, the list of installed Microsoft Store apps, and Start menu pins. Whether part of a device refresh strategy or migration away from Windows 10 (now out of support), Windows Backup for Organizations is all about helping get users productive faster after a reset or reimage. A new first sign-in restore experience (currently in private preview) is part of our ongoing commitment to resilience and productivity. Users signed in with a Microsoft Entra ID on eligible devices get a “second chance” to restore their environment if they missed the option during the out-of-box experience (OOBE). Note: If users deliberately choose to skip the restore opportunity during OOBE, their preference will be respected. With first sign-in restore, your users get back to work faster, with their preferred settings and Microsoft Store app list ready to go. Key benefits of offering restore at first sign-in You've already been able to help keep users productive when moving to a new PC or restoring after an incident—at scale. With a first sign-in restore experience, you benefit from: * Broader coverage: Safely restore more devices, including Microsoft Entra hybrid joined devices, multi-user setups, and Windows 365 Cloud PCs. * Same seamless experience: Restore Windows settings and the Microsoft Store app list at first sign-in, as you would during OOBE, minimizing downtime and accelerating productivity. * Continued focus on user-centric recovery: Even if users miss the opportunity to restore during OOBE by accident or due to a technical issue, they can still get their personalized environment at first sign-in. No more starting from scratch. Learn more and help shape what's next If you're new to Windows Backup for Organizations, you can familiarize yourself with this feature by reading the following articles” * Windows Backup for Organizations is now available * Windows Backup for Organizations overview Look out for this new capability in early 2026. In the meantime, if you're interested in testing it early, consider joining the private preview! Complete an interest form, which can also be accessed by scanning the QR code below. The form and the opportunity to sign up will remain open through Friday, February 13, 2026. To be eligible for the preview you need to be part of the Microsoft Management Customer Connection Program and have a signed non-disclosure agreement (NDA). If you're not a current member of the program, sign up today. We're excited to bring you this expansion. Your feedback continues to be invaluable as we shape the future of Windows Backup for Organizations and roll out exciting new features. Thank you for partnering with us to make Windows even better! --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Last month, Windows security experts hosted an Ask Me Anything about updating Secure Boot certificates on Windows devices before the certificates expire in June 2026. Be sure to watch the video and read the questions and answers posted in the discussion section. Also, please bookmark the Secure Boot Playbook page to stay up to date on the latest details and guidance on this topic. While December is usually a “quiet” month, there was still Windows news to be shared. Here's a quick recap: New in Windows update and device management * [AUTOPATCH] – Try the new Common Vulnerabilities and Exposures (CVEs) report in Windows Autopatch. It provides a comprehensive view of Windows CVEs addressed by recent quality updates, along with direct links to remediation documentation and device-level vulnerability status. * [INTUNE] – Microsoft is bringing Microsoft Intune Suite capabilities to Microsoft 365 E3 and Microsoft 365 E5. No action is necessary. Find out which capabilities will be included in Microsoft 365 plans. Then keep an eye on Microsoft 365 admin center notifications for release dates. * [CLOUD] [RESILIENCY] – Multi-region selection is now available and rolling out to all organizations utilizing Windows 365. We are also reducing the number of geographies and increasing the number of regions within each geography. Ready for more flexibility, regional resiliency, and latency optimization? New in Windows security * [BITLOCKER] – BitLocker now takes advantage of system on chip (SoC) and central processing unit (CPU) capabilities. You can now achieve better performance and security for current and future NVMe drives. Learn how hardware-accelerated BitLocker works and find out how to check if your devices are using this latest improvement. * [ENTRA] – Starting with the December 2025 security update, you can now authenticate Microsoft Entra ID app sign-ins through Web Account Manager (WAM) with WebView2, the Chromium-based web control. This improvement supports modern web standards, advanced security, and future-ready scenarios. * [SECURE BOOT] – Preparing to update Secure Boot certificates on Windows devices? The certificates expire in June 2026. Check out the recording of our December Ask Me Anything. New in AI * [COPILOT+ PC] – The latest Windows skilling snack packages up a robust set of resources. Get up to speed on using and managing AI-powered features and experiences unique to Copilot+ PCs. Access all of our bite-sized technical learning journeys, each designed to be consumed in two hours or less, via the refreshed Windows skilling snack library! New in productivity and collaboration * [CLOUD] [VIRTUALIZATION] – Multimedia call redirection on Azure Virtual Desktop and Windows 365 now supports Genesys Cloud and Five9 Contact-Center-as-a-Service (CCaaS) platforms. Get a more optimized calling experience for contact center agents using Genesys Cloud or Five9 in virtual environments. New in Windows Server For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes. * [WS2025] – Starting with the January 2026 security update, Windows Server 2025 will have its own KBIDs, separate from Windows 11, versions 24H2 and 25H2. This change improves clarity for administrators. Installation and management processes remain the same. * [NVMe] [WS2025] – You can now opt in to native NVMe support in Windows Server 2025. With native NVMe, Windows Server can communicate directly with NVMe devices. This removes reliance on SCSI commands and significantly enhances storage performance and efficiency. Lifecycle milestones Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025. Additional resources Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources: * Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name * Microsoft 365 Copilot release notes for latest features and improvements * Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels * Windows Server Insider for feature preview opportunities * Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders As we enter 2026, we're looking to make this monthly summary more helpful to you! Please drop us a note below and let us know what information you most want to hear about. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

We know that users desire both security and great performance. Historically, we have strived to keep BitLocker performance overhead within single digit percentage points. However, with the rapid rise in popularity and advancement of Non-Volatile Memory Express (NVMe) drive technology, these drives now achieve much higher Input/Output (I/O) operation speeds. As a result, corresponding BitLocker cryptographic operations can require a higher proportion of CPU (Central Processing Unit) cycles. This makes the performance impact of BitLocker more pronounced, especially on high-throughput and I/O intensive workloads like gaming or video editing. As NVMe drives continue to evolve, their ability to deliver extremely fast data transfer rates has set new expectations for system responsiveness and application performance. While this is a major benefit for users, it also means that any additional processing — such as real-time encryption and decryption by BitLocker — can become a bottleneck if not properly optimized. For example, professionals working with large video files, developers compiling massive codebases, or gamers demanding the lowest possible latency may notice delays or increased CPU usage when BitLocker is enabled on these high-speed drives. Balancing robust security with minimal performance impact is more challenging than ever. The need to protect sensitive data remains critical, but users also expect their devices to operate at peak efficiency. As a result, the industry has needed to innovate new solutions that ensure both security and speed are maintained even as hardware capabilities advance. To achieve this, we announced hardware-accelerated BitLocker at Microsoft Ignite last month.  Hardware-accelerated BitLocker is designed to provide the best combination of performance and security. Starting with the September 2025 Windows update for Windows 11 24H2 and the release of Windows 11 25H2, in addition to existing support for UFS (Universal Flash Storage) Inline Crypto Engine technology, BitLocker will take advantage of upcoming system on chip (SoC) and central processing unit (CPU) capabilities to achieve better performance and security for current and future NVMe drives. These capabilities are: * Crypto offloading – BitLocker shifts bulk cryptographic operations from the main CPU to a dedicated crypto engine. This capability frees up CPU resources for other tasks and helps improve both performance and battery life. * Hardware protected keys – BitLocker bulk encryption keys, when necessary SoC support is present, are hardware wrapped, which helps increase security by reducing their exposure to CPU and memory vulnerabilities. This is an addition to the already supported Trusted Platform Module (TPM), which protects intermediate BitLocker keys, putting us on a path to completely eliminate BitLocker keys from the CPU and memory.   When enabling BitLocker, supported devices with NVMe drives along with one of the new crypto offload capable SoCs will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default. This includes automatic device encryption, manual BitLocker enablement, policy driven enablement, or script-based enablement with some exceptions. (Please see the Enablement and management experiences section below for more details.) We have enhanced the architecture and implementation of the Windows storage and security stacks to support these new capabilities as an operating system enhancement that will bring value to all capable PCs over time. Upcoming Intel vPro® devices featuring Intel® Core™ Ultra Series 3 (formally codenamed Panther Lake) processors will provide initial support for these capabilities with support for other vendors and platforms planned. Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market. How Hardware-accelerated BitLocker works – diagram A diagram comparing a software BitLocker to hardware accelerated BitLocker. These diagrams show data flow for both software BitLocker and hardware-accelerated BitLocker. The type of the arrows indicate if we are dealing with unencrypted data (dotted arrow), encrypted data (solid arrow) or key management operations (dashed arrow).  1. In software BitLocker all the cryptographic operations for I/O (reads and writes) are executed on the main CPU before the I/O reaches the drive. 2. In hardware-accelerated BitLocker all the cryptographic operations for I/O (reads and writes) are executed on the dedicated part of the SoC before the I/O reaches the NVMe drive. Additionally, the BitLocker bulk encryption key is hardware protected by the SoC (if SoC supports it). Performance improvement over software BitLocker According to our tests, storage performance with hardware-accelerated BitLocker can approach NVMe performance without BitLocker encryption across common workloads.​ We see performance improvements in storage and I/O metrics like sequential and random writes and reads when comparing hardware-accelerated BitLocker to software BitLocker. In addition to the better storage performance, hardware-accelerated BitLocker provides on average a 70% savings in CPU cycles compared with software BitLocker. The CPU cycle savings can result in longer battery life.​ A bar chart comparing an average number of cycles per IO between hardware-accelerated BitLocker and software BitLocker as opposed to without BitLocker encryption Note: Test outcomes may differ and are influenced by the platform’s H/W configuration. Validation To check if your device is using hardware-accelerated BitLocker, open a command prompt as an administrator and run manage-bde -status. Look at the Encryption Method section — if you see Hardware accelerated shown, it indicates that BitLocker is utilizing the SoC’s crypto acceleration capabilities. A command-prompt interface shows hardware-accelerated BitLocker as the encryption method We are working on improving our tools’ status readout to clearly show which capabilities are used. Product demo: comparing Software BitLocker and Hardware-accelerated BitLocker performance This video compares software BitLocker and hardware-accelerated BitLocker by enabling both via command line, verifying encryption methods, and running benchmarks to assess performance differences. It concludes by demonstrating hardware-protected keys. Video from the Microsoft Ignite 2025 conference comparing software BitLocker to hardware-accelerated BitLocker. Note: (0:28 - 0:41) Accelerated for demo purposes, actual times may vary. Enablement and management experiences For BitLocker provisioning during the WinPE (Windows Preinstallation Environment) flow and other offline provisioning scenarios, cryptographic offloading will function as intended provided that the disk is used on compatible hardware with appropriate drivers, and the chosen algorithm and encryption method align with those supported by the SoC. Hardware-accelerated BitLocker will not be used in Windows if: * A user enables BitLocker manually through the command line or PowerShell and specifies an algorithm or key size that is not supported by the SoC vendor. This also applies to any automation tools or scripts.​ * An administrator applies an enterprise policy (through MDM or GPO) with a key size or algorithm that the SoC vendor does not support (such as AES-CBC-128 bit or AES-CBC-256 bit). We plan to modify this behavior in an early spring update by automatically increasing the key size for new BitLocker enablements, but not changing the algorithm itself. For instance, if the policy specifies AES-XTS-128 bit, it will be upgraded to AES-XTS-256 to enable hardware-accelerated BitLocker on supported platforms. However, if the policy specifies AES-CBC-128 or AES-CBC-256, the algorithm will not be changed to AES-XTS, and hardware-accelerated BitLocker will not be utilized.   * An IT Administrator enables the “System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing, and signing algorithms” policy (link). The use of hardware-accelerated BitLocker relies on whether the SoC reports FIPS certification of its hardware key wrapping and crypto offloading capabilities to Windows. We encourage you to leverage these advancements to help maximize both security and performance on your devices. Thank you for taking the time to stay informed and proactive about device protection. Securing the present, Innovating for the future Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience. The updated Windows Security book and Windows Server Security book  are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server and Copilot+ PCs.. To learn more about Microsoft Security Solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.  Windows 11 security book - Windows security book introduction | Microsoft Learn --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

If you are looking for a quick way to get up to speed on features, tools, and recommended approaches for deploying and managing Windows, skilling snacks are here to help. With the wealth of Microsoft articles, demos, tools, and resources available, it can be difficult to know where to start or what to prioritize. With Windows skilling snacks, we've curated a library of technical learning journeys, each of which can be consumed in less than two hours. That means you can skill up during a slow morning, over a long lunch break, or whenever it best suits your schedule. Follow and bookmark this page for new installments—and comment below if there is there is a topic you'd like us to cover. Navigate to: New on the menu | Device and update management | Security | Accessibility and productivity | Extra bites New on the menu * Get started with AI in Windows * AI and Windows admin management * AI on Windows Copilot+ PCs * AI for Windows developers * Get started with Microsoft 365 Copilot Chat   Device and update management * Windows Autopilot 101 * Configure devices with Windows Autopilot * Windows Autopilot device preparation * Windows monthly updates * Managing Windows 11 updates * Windows Autopatch * Hotpatch on Windows client and server * Windows driver update management * Mobile device management in Microsoft Intune * Windows device management in the public sector * Best practices for shared and frontline Windows devices * Reduce bandwidth for Microsoft content delivery * Microsoft Store apps and app migration * Do more with Microsoft Graph * Windows lifecycle   Security * Security fundamentals * Windows hardware security * Windows application security * Data security basics for IT pros * Windows passwordless options * BitLocker management for enterprises * Network security basics for endpoints * Advanced network security * Windows Server security * Windows security for developers   Accessibility and productivity * Accessibility in Windows 11 * Voice access in Windows * Tools for creating accessible content * Cloud-based printing with Universal Print   Extra bites * Your Windows release information toolbox * Windows events and communities * Windows app compatibility * Windows 11 end-user readiness * Windows 365 or Azure Virtual Desktop   Archive These resources contain information that may be dated, but still offer valuable historical context, foundational guidance, or reference material. While not fully current, they can help you understand earlier approaches or provide background knowledge. * Plan, prepare, and deploy Windows 11 * From on premises to the cloud * Feature update management * Using Windows Update for Business * Application control for Windows * Windows LAPS --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

You can be a lot more productive with AI on Copilot+ PCs, the newest type of Windows PCs. In the past year, we’ve added several new features and capabilities designed to boost productivity and inclusivity. See how Copilot+ PCs evolved with AI powered features like Click to Do, Recall, improved Windows search, and Fluid dictation (in preview). Windows accessibility features are designed for everyone, empowering people of all abilities to work, create, and connect seamlessly including AI-driven tools and functionality. Learn more and start managing Copilot+ PCs with their exclusive features with this collection of resources.   Time to learn: 128 mins Introduction to Copilot+ PCs * Copilot+ PCs and features for business (1 min): Watch this short video at the top of the page to get introduced to Copilot+ PCs. They’re the fastest, most intelligent, and most secure Windows devices, with the best battery life and performance on the market. * Get started with Copilot+ PC features (6 mins): Access your Copilot+ PC features in several ways. Get tips on creating, enhancing your calls, and personalizing your productivity. The evolution of Copilot+ PCs * Evolving Windows: new Copilot and AI experiences at Ignite 2025 (11 mins): Check out the latest productivity and accessibility features offered by M365 Copilot. On Windows 11, interact with Copilot with voice, check on the agents on the taskbar, use search and Ask Microsoft 365 Copilot directly in the taskbar, get file assistance from File Explorer Home, and prepare for meetings in the agenda view in the Notification Center. This and more can be done on Copilot+ PCs! There’s more on accessibility features, agent support, and security enhancements. * Empowering the future: The expanding Arm app ecosystem for Copilot+ PCs (6 mins): If you’re a developer, find out about what’s now available on Arm for Copilot+ PCs. Learn about endpoint protection apps, VPN and Zero Trust Network Access (ZTNA) apps, endpoint management tools, productivity apps, and more. Measuring Copilot+ PC impact for your organization * New technology: The projected Total Economic Impact™ of Microsoft Copilot+ PCs (27 mins): Building a business case for Copilot+ PCs for your organization? This Microsoft commissioned Forrester study calculates the 3-year projected return on investment to be 137%-367%, depending on a variety of factors. Compare your context with the composite organization to visualize what your quantified and unquantified benefits might be. * Copilot+ PCs: The fastest, most intelligent Windows PCs ever! (31 mins): For resources to share with the technical decision makers at your organization, get this on-demand video. Managing Copilot+ PCs and AI * AMA: Manage AI and intelligent agents in Windows (30 mins): Learn how to enable AI experiences for your organization with security and control. Get tips on using Microsoft Intune or Group Policy to fine-tune popular features like Recall, Copilot, Click to Do, and Image Creator. * Configure the agent in Windows Settings (3 mins): This unique Copilot+ PC feature uses on-device AI to help users at your organization find and change settings on their device. * Updated Windows and Microsoft 365 Copilot Chat experience (10 mins): Short press the Copilot key (or Windows key+C shortcut) to invoke the Microsoft 365 Copilot Chat prompt box. Long press the Copilot key (or Win+C shortcut) or say “Hey Copilot” (available in Frontier in the coming weeks) to directly activate voice in Microsoft 365 Copilot and start a back-and-forth conversation. Not ready to use Copilot yet? Remap the Copilot key on Copilot+ PCs! Read about managing the Copilot key. AI for accessibility on Copilot+ PCs * Fluid dictation (in preview) (3 mins): Preview how to manage a unique Copilot+ PC feature for voice access, available in all English locales and enabled by default. Fluid dictation automatically corrects grammar, punctuation, and filler words as you speak. Most Windows 11 accessibility features are not exclusive to Copilot+ PCs. The following AI resources are also available to meet accessibility needs of people at your organization: * Accessibility tools for Microsoft Copilot (time varies): Find a list of screen reader capabilities across Microsoft 365 apps available to users at your organization. Follow the corresponding links to learn more. * Using Copilot in accessibility (time varies): Browse accessibility scenarios that Microsoft Copilot can help with. See how you can simplify your workflows by functional area or industry, key performance indicators (KPIs), or accessibility roles. Download and share these tools with your organization. This wraps up our series of skilling snacks on Windows and AI! Did you miss any? * Skilling snack: Get started with AI in Windows * Skilling snack: AI and Windows admin management * Skilling snack: Get started with Microsoft 365 Copilot Chat * Skilling snack: AI for Windows developers For more resources on a variety of topics, check out our growing Windows skilling snacks library. Let us know what other topics you’re hungry for! ___________________________________________________________________________________________________________________________________________________ --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Resilience improvements with Microsoft Hosted Network At Microsoft, we understand that customers need a desktop service that is reliable and resilient — in other words, a service that simply works. Continuing our efforts to deliver customers a robust and productive Cloud PC experience, today we are announcing several new features that enhance reliability and resiliency even further. Introducing Microsoft Hosted Network (MHN) enhancements As the number of Azure regions and the number of regions that Windows 365 supports has continued to grow, we saw an opportunity to re-organize region grouping in a way that simplifies region selection and maximizes platform availability when issues occur. Additionally, customers have requested a streamlined way to achieve their data sovereignty requirements when deploying Cloud PCs. To meet this requirement, we are introducing a new region group location tier that will sit between the current geography and region locations. We are also re-organizing region grouping to provide better availability of the underlying Azure capacity that your Cloud PCs require. Introducing the new Region Group location tier We are now introducing a new Region Group tier that provides improved data sovereignty along with improved resiliency. You now have three options for locations that can be selected within a provisioning policy:   The Geography tier remains unchanged, except for the number and region membership of each which is discussed later. It now contains the new region group tiers, which will include multiple regions. When creating a new provisioning policy all region groups within that geography will be selected by default, as well as all regions within the region groups. Our recommendation is to keep all region groups selected as it maximizes regions available and increases overall workload resiliency. The Region Group tier is new. This tier will group Azure regions into groupings for data sovereignty requirements, while also providing multiple regions for resiliency, across which the resulting Cloud PCs are distributed. A region group typically maps to a single country or a specific geographical boundary (E.g. US East, US West etc.) Choosing this tier establishes the data sovereignty for all Cloud PCs deployed via a MHN provisioning policy where a region grouping has been selected. As new regions are enabled for Windows 365, these will be added into the appropriate region group, providing future resiliency improvements. The Region tier remains unchanged and still allows you to select a specific region if that is your requirement. However, selecting a specific region limits your benefits of the grouping of regions, i.e. the automatic distribution of your Cloud PC estate across multiple Azure regions, which may increase the impact of an Azure region outage. We are removing the MHN-Automatic option from the region selection part of the provisioning policy user interface and making this same behavior an automatic and intrinsic part of the service when selecting a geography or region group. We recommend using the Geography tier whenever possible for maximum resiliency and flexibility. If you have country-specific data sovereignty requirements, choose a region group instead. Region groups still support cross-region deployments, though with fewer regions than a geography. Even if a group currently has only one region, please select it as future additions will automatically provide multi-region benefits. New location selection for Microsoft-hosted network and network type within a provisioning policy, with an example showing three-tier provisioning selections. Re-organizing the region grouping to provide better availability of underlying Azure capacity In addition to the new three-tiered location selection, and to maximize the effectiveness of these improvements, we are reducing the number of geographies and increasing the number of regions within each of these geographies, which in turn provides more selection flexibility, reginal resiliency, and latency optimization. The new location selection matrix is listed below: Geography Region Group Region Asia Singapore Southeast Asia Hong Kong East Asia Japan Japan East Japan West South Korea Korea Central Australasia Australia Australia East Canada Canada Canada Central Europe France (EU) France Central Germany (EU) Germany West Central Ireland (EU) North Europe Italy (EU) Italy North Netherlands (EU) West Europe Poland (EU) Poland Central Spain (EU) Spain Central Sweden (EU) Sweden Central Norway Norway East United Kingdom UK South Switzerland Switzerland North India India India Central Africa South Africa South Africa North US Central US Central Central US South Central US US East US East East US East US 2 US West US West West US 2 West US 3 South America Brazil Brazil South Middle East Israel Israel Central UAE UAE North Qatar Qatar Central Mexico Mexico Mexico Central New Azure region organization available within a provisioning policy, showing the reduced number of geographies, the new “region group” mid-tier, and more regions available within the geographies. Grouping an increased number of regions into a smaller number of geographies and introducing the new middle region group tier provides more flexibility for the Windows 365 service. As new regions come online, they will be added into the relevant region group and geography where appropriate. New service capabilities to enhance resilience and flexibility Besides Microsoft Hosted Network (MHN) enhancements, we are introducing two new service capabilities for newly created provisioning policies that will apply to Cloud PCs deployed to either the geography or region group tiers without requiring manual intervention. * Intelligent Cross region distribution To maximize Cloud PC resiliency, Windows 365 now distributes deployments across all healthy regions within a geography or region group when selected. This is applied to all new Cloud PCs within a provisioning policy, minimizing the impact of any single region issue. If your estate of 100 Cloud PCs has been distributed across ten regions and a single region has an outage, then only ten percent of your estate will be affected, as opposed to 100%, which could happen if they were all deployed to the region experiencing the outage. All regions within a geography or region group will be within a similar latency boundary. You can check regional location in two easy ways: 1. Within the All Cloud PCs blade: there will be a new Cloud PC Region column (hidden by default) in the All Cloud PCs view. This displays the current deployment region of each Cloud PC. You can enable this column to surface the region information in the Intune portal. 2. Via the Microsoft Graph API: The ListCloudPCs API includes a deviceRegionName property in its response, which indicates the provisioning region for each Cloud PC. * Snapshot distribution When using cross region disaster recovery with MHN and multi-region selection, recovery snapshots are distributed across multiple regions instead of being stored in one region. So, if the disaster recovery region faces issues during recovery, only Cloud PCs with snapshots in that region are affected. Remaining Cloud PCs can still recover from their respective regions. These new features are only available via the MHN network type when selecting either a geography, a region group, or a group of individual regions. They will not be made available in the Azure Network Connection (ANC) network type. Likewise, region grouping improvements are only applicable when using MHN, so we encourage customers to use the MHN network type as much as possible. Click here for further detailed instructions: Enhance Microsoft Hosted Network (MHN) Cloud PC Resiliency with Multi-Region Selection A layered approach to business continuity With today’s announcement, Windows 365 now offers a more complete and flexible resiliency strategy, one that meets customers where they are and scales with their needs. Whether you're looking for built-in protection from localized disruptions or enterprise-grade continuity across regions, Windows 365 provides a completely customizable layered approach to workload resiliency that adapts to your business.  Level 1: Point-in-time restore, included within the service. Level 2: Enhanced MHN functionality, new and included within the MHN service. Level 3: Premium disaster recovery: cross region disaster recovery and disaster recovery plus, which are both paid add-ons. Level 4: Windows 365 Reserve, a new separate licensed offering for Windows 365 that can enhance physical device resiliency. The enhancements we are announcing today will provide important improvements for the on-going management of your total physical and Cloud PC estate, all taken care of by Microsoft so that you don’t have to. By selecting the geography or region group options, Windows 365 will balance your Cloud PC estate across multiple regions within a geography, reducing the impact that a regional issue may have. The additional resiliency enhancements enabled within the platform demonstrate our commitment to providing more reliable service for our customers. We encourage you to take full advantage of these features in Windows 365 — just tell Microsoft which geography you want your Cloud PCs in and we will manage the rest for you. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

We’re thrilled to share an important update: Entra ID app sign-in through Web Account Manager (WAM) now has the option to be powered by WebView2, the Chromium-based web control, starting with KB5072033 (OS Builds 26200.7462 and 26100.7462) or later. This release marks a significant step forward in delivering a secure, modern, and consistent sign-in experience across apps and services. What is a WebView? A WebView is a UI component that allows you to display web content (HTML, CSS, JavaScript) inside a native application. Instead of opening a full browser, a WebView embeds a browser engine within your app so you can render web pages or web-based UI directly in your application window. Windows has many user experiences that use WebViews to gather web information and present it to users that look like native content. One common scenario for this is authentication flows, where a user is prompted for their username and provides credentials. Why we made this change Authentication is the front door to your digital world. As identity experiences evolve, we need a foundation that supports modern web standards, advanced security, and future-ready scenarios. WebView2 provides exactly that. Key benefits This update includes several benefits, including: * Modern Standards: Built on Chromium, WebView2 supports the latest web technologies, enabling richer, more responsive sign-in interfaces and compatibility with modern frameworks like React and Fluent UI. * Future-Ready Experiences: Unlocks advanced scenarios such as Passwordless sign-in, passkeys, and seamless integration with Conditional Access policies — all with fewer redirects and friction. * Better Compatibility: Improves support for third-party identity providers and enterprise apps that rely on modern web frameworks, ensuring consistent experience across diverse environments. Getting started This transition is seamless for most users and apps. If you manage enterprise deployments: * Ensure your environment meets WebView2 runtime requirements (including in recent Windows builds or available via evergreen installer). * Customers that have already seen their auth flows work in Microsoft Edge-based browsers should work without any configuration change. If any issues are observed, please see: o   Microsoft Edge identity support and configuration | Microsoft Learn o   Configure browsers to use Windows Integrated Authentication (WIA) with AD FS | Microsoft Learn * Visit https://learn.microsoft.com/ for detailed guidance on WebView2 integration and troubleshooting. Enabling WebView2 in the Entra ID plugin After installing KB5072033 (OS Builds 26200.7462 and 26100.7462) or later, enable the WebView2Integration registry key by using regedit, command line, or policy to configure a registry entry by updating the registry with: Reg key location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AAD Reg key value: WebView2Integration as a DWORD and assign it to “1” for WebView2 integration to be ON. Note: If the AAD key does not exist, create it by right-clicking on Windows, selecting New > Key, and naming it AAD. Figure 1 - Screenshot of the registry value to add After applying the registry key, the device should be ready to use. Try authenticating or adding a work account in apps such as Teams, Feedback Hub, Office, or Edge.  Disabling WebView2 in the Entra ID plugin Disable the WebView2Integration registry key by using the registry, command line, or policy to configure a registry entry by updating the registry with: Reg key location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AAD Reg key value: WebView2Integration as a DWORD and assign it to “0” for WebView2 integration to be OFF. After applying the registry key, the device should be ready to use. Try authenticating or adding a work account in apps such as Teams, Feedback Hub, Office, or Edge.  Looking ahead WebView2 will become the default framework for WAM authentication in an expected future Windows release, with the EdgeHTML WebView being deprecated. Therefore, we encourage users to deploy now and participate in the opt-in process, enable this experience in their environments, and make any necessary adjustments — such as updating proxy rules or modifying code in services involved in the logon process. Contact Customer Support Services if you'd like to provide feedback. Moving to WebView2 is more than a technical upgrade — it’s a strategic investment in secure, user-friendly identity experiences. We’re committed to evolving Entra ID to meet the needs of modern organizations and developers. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

We’re excited to announce that multimedia call redirection on Azure Virtual Desktop and Windows 365 now supports Genesys Cloud and Five9, both Contact-Center-as-a-Service (CCaaS) platforms. This enhancement enables a more optimized calling experience for contact center agents using Genesys Cloud or Five9 in virtual environments. To see a full list of supported CCaaS solutions, refer to our documentation. What is multimedia call redirection? Multimedia call redirection optimizes WebRTC-based calls by redirecting audio data from Azure Virtual Desktop session hosts or Windows 365 Cloud PCs to the user’s local device. This offloading helps reduce latency, improve call quality, and deliver a “like-local” communication experience, as if the call was happening directly on the user’s physical device rather than through a remote cloud connection. Benefits of using multimedia call redirection Integrating multimedia call redirection with CCaaS solutions on Azure Virtual Desktop and Windows 365 offers direct benefits for customers, particularly those in contact centers or hybrid work environments: * Enhanced call quality: By redirecting WebRTC calls to the local device, multimedia call redirection is designed to minimize latency and packet loss, helping ensure clearer audio. This can be especially important for contact center agents where clear communication directly impacts customer satisfaction and support case completion rates. * Improved productivity: With multimedia call redirection, agents experience an enhanced, like-local call experience, helping reduce interruptions and allowing them to better focus on delivering quality customer service. * Resource optimization: Multimedia call redirection offloads multimedia processing from the Azure Virtual Desktop session host or Windows 365 Cloud PC to the physical endpoint, helping to reduce the computational load on the underlying virtual machine by bypassing the remote session and helping improve audio quality and reduce latency. This can also help optimize resource usage in the cloud, especially for organizations that are scaling their virtual desktop environments. * Seamless integration with Windows App: Multimedia call redirection works effortlessly with Windows App, a unified platform that connects users to Windows desktops and apps from Azure Virtual Desktop, Windows 365, and other Microsoft services. * Enhanced flexibility for remote and hybrid workforces: Multimedia call redirection can help support remote and hybrid teams with reliable, high-quality communication tools. Agents can use Genesys Cloud or Five9 on Azure Virtual Desktop or Windows 365 from any supported device, helping promote consistent performance regardless of location. Getting started To take advantage of multimedia call redirection, ensure your environment meets the following requirements: * Multimedia call redirection host version: Use version 1.0.2507.21006 or higher (download the MSI installer ). This is already included in the Windows gallery image for Windows 365. * Browser support: Install the latest version of Microsoft Edge or Google Chrome on your session hosts. * Setup guide: Follow the detailed instructions in the Microsoft documentation to configure multimedia call redirection for Azure Virtual Desktop or Windows 365. * Refer to the following links for all necessary configuration details: o   Genesys Cloud documentation and blog o   Five9 documentation and blog Certify your CCaaS solution for multimedia call redirection Are you a CCaaS provider or developer looking to certify your WebRTC-based calling app for multimedia call redirection? Multimedia call redirection provides a versatile solution compatible with most calling apps. You can start testing your app’s compatibility by following these validation steps. Contact us to officially list your app as supported or reach out to Microsoft Support for any compatibility issues. _______________________________________________________________________________________________________________________________________________________________ --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Your security team needs clear, actionable insights to protect your organization from emerging threats. The new Common Vulnerabilities and Exposures (CVEs) report in Windows Autopatch delivers just that. Get a comprehensive view of Windows CVEs addressed by recent quality updates, along with direct links to remediation documentation and device-level vulnerability status. Why CVE reporting matters With the increasing pace of security updates and the complexity of enterprise environments, it can be a struggle to track which vulnerabilities have been remediated and which devices remain at risk. The CVE report bridges this gap and joins your other Windows quality update reports right in the Microsoft Intune admin center. This empowers your organization to prioritize update deployment, demonstrate compliance, and maintain a robust security posture. Key features of the new Windows Autopatch report * Comprehensive CVE list: View all Windows CVEs addressed in the past 90 days, including severity ratings and exploitation status. * Device vulnerability tracking: Identify which managed devices are missing updates for specific CVEs. * Access to technical details and remediation guidance: Each CVE entry links to the Windows update KB article (also known as a release note) that describes the fix. * Search and filter: Easily locate CVEs by ID, severity, or update release * Export: Share and use this report offline as you implement your response strategy. * Timely insights: The report latency is two hours, reflecting the latest changes for the most actionable insights. How to access the report * Navigate to the Microsoft Intune admin center. * Go to Reports > Windows Autopatch > Windows quality updates. * Select the Reports tab. * Select the Common Vulnerabilities and Exposures (CVEs) report Screenshot of the Common Vulnerabilities and Exposures (CVEs) report in Microsoft Intune admin center Inside the report The report contains details and links relevant to the CVE, to the update that addresses it, and to your environment. CVEs are unique identifiers assigned to publicly disclosed security vulnerabilities that Microsoft has investigated, confirmed, and published. For each CVE, see related columns of CVE Name, CVE Base Score, and Exploited to learn about its status. The columns Release, KB Article, and Published relate to the Windows update that contains the fix for this CVE. Review the number of devices in the column Devices Missing Update. Select a cell to invoke a flyout with the complete list of device names and their OS versions to inform your next steps. Screenshot of the flyout of Devices missing a selected CVE, including device names and OS versions Improve your vulnerability response strategy today The new CVE report in Windows Autopatch can help strengthen your vulnerability response strategy. Once you identify devices exposed to a high severity CVE, depending on the scenario, you can: * Use Windows Autopatch update readiness (currently in preview) to proactively monitor, troubleshoot, and repair devices to help ensure they receive quality updates smoothly. * Expedite corresponding updates using Microsoft Intune or Microsoft Graph. To learn more, see Get the most out of expedited Windows quality updates. * Use the Security Copilot Vulnerability Remediation Agent in Intune (currently in limited public preview). Try the new report today and let us know what you think! Here’s what else can get you started: * Common Vulnerabilities and Exposures (CVEs) report * MSRC Security Update Guide: Vulnerabilities * Windows Autopatch documentation * Security Copilot Vulnerability Remediation Agent in Microsoft Intune --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

In case you haven’t yet had time to catch up on all the announcements from Microsoft Ignite, I’m happy to offer a recap of what was revealed in the world of Windows and Windows 365 plus a few security and Microsoft Intune highlights. Have questions on any of what you read below? Join us this week for Windows Tech Community Live. We’ll be live streaming panel-based discussions today—then answering your questions on the session pages through Friday. That means there is plenty of time to get the answers you need to keep your deployment and device management projects moving. Let’s jump in! New in Windows update and device management * [AUTOPATCH] [TOOLS] – Announced at Microsoft Ignite, Windows Autopatch update readiness brings improved clarity, reporting, automation, and control to Windows update management. Capabilities include automated checks, device update journey maps, actionable alerts, guided remediation, advanced cloud-based policies for managing monthly updates with control, and reporting. * [RECOVERY] [AUTOPATCH] – With quick machine recovery, you can automatically detect, diagnose, and remediate boot critical issues from WinRE. No need for hands-on, in-person intervention. This capability can be enabled by IT policy for devices running Windows 11, version 24H2 or 25H2. A preview of quick machine recovery management in Windows Autopatch is also available. Start controlling the deployment of quick machine recovery updates, including approvals, schedules, alerts, and reporting.  * [RESTORE] – A preview of point-in-time restore is being rolled out to Windows Insiders in the Beta and Dev Channels. With this feature, you can remotely restore a PC to a previous state from restore points stored on the device. When a device or group of devices has been suddenly impacted, point-in-time restore provides a fast way to return to productivity without waiting for a targeted fix. * [AUTOPATCH] [GCC] – Windows Autopatch is available to US government organizations as part of Microsoft 365 Government. It has been added to the Azure FedRAMP High Provisional Authorization to Operate (P-ATO). Work is underway to expand the service to also meet the requirements of US Government Community Cloud High (GCC High) and Department of Defense (DoD) environments. * [WINDOWS 365] [LINK] – Key updates for Windows 365 Link are coming in the first quarter of 2026. You’ll get support for pairing Bluetooth® devices during the out-of-box experience, support for tenant branding, and the ability to restore a device to its factory default state using a bare metal recovery image. * [ROLLBACK] – Known Issue Rollback is a robust mitigation technology that can quickly return an impacted device back to productive use if an issue arises during a Windows update. A new article provides insight into how Known Issue Rollback works, scenarios it supports, and answers to frequently asked questions. New in Windows security * [SECURE BOOT] – Tools and prescriptive guidance are now available to help you proactively update your Secure Boot certificates before they expire in June of 2026. Have questions about this Secure Boot milestone? Save the date and join our Secure Boot Ask Microsoft Anything (AMA) event on December 10. * [FOUNDATIONS] – Read the November 2025 Secure Future Initiative Progress Report to explore recent advancements in Windows security and resilience. You’ll also learn how Surface leads the Windows ecosystem by enabling all recommended Windows security features by default. * [PASSWORDLESS] – With the November 2025 security update, Windows 11 includes native support for passkey managers. This means you can choose your favorite passkey manager — whether it’s Microsoft Password Manager or trusted third-party providers. * [SYSMON] – Native Sysmon functionality is coming to Windows 11 and Windows Server 2025 next year. With this change, you’ll be able to capture granular diagnostic data without having to deploy and maintain Sysmon manually across your digital estate. * [WINDOWS 365] [DATA PROTECTION] – Windows Cloud Keyboard Input Protection is now in public preview. This capability ensures the confidentiality and integrity of sensitive input data. How? By encrypting user keystrokes at the kernel level and decrypting them exclusively within the remote virtual environment. The public preview is available for both Windows 365 Cloud PCs and for Azure Virtual Desktop session hosts and virtual machines (VMs). * [WINDOWS 365] [IDENTITY] – With the latest updates to Windows 365 and Azure Virtual Desktop, you now can provide access to users outside your organization. Simply invite them into your organization. No need to create and assign brand new, temporary accounts. * [INTUNE] [ZERO TRUST] – Aligning network policies with Zero Trust and cloud-native architecture can require trade-offs. Explore common models, benefits, and implementation guidance. New in AI * [COPILOT] – Windows is evolving to include agent-like functions built into the operating system, new tools offered by Microsoft 365 Copilot on Windows, and capabilities powered by Copilot+ PC hardware. Explore the announcements from Microsoft Ignite. Get early access to new features through the Windows Insider Program and by setting your tenant (or selected users) up for Targeted Release in the Microsoft 365 admin center. * [WINDOWS 365] [AI] – Windows 365 AI-enabled Cloud PCs combine Windows 365 with AI acceleration to help users boost productivity and discover information faster. All that while maintaining enterprise-level security and compliance. For early access, explore Frontier. * [WINDOWS 365] [AI] – Are you an agent maker? Now in public preview, Windows 365 for Agents provides a comprehensive set of APIs that you can use to manage and utilize compute resources. * [INTUNE] [AI] – Microsoft Intune is evolving to include assistive chat-based and agentic experiences. They will help you make smarter decisions, achieve better compliance, and reduce risk through intelligence and automation. Intune is also introducing admin tasks, a centralized view for high-priority items, so you can act quickly on what matters most.  New in productivity and collaboration Install the November 2025 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities. * [START MENU] – When you launch the Start menu, you can switch and choose between two new views. Category view groups apps by type and highlights frequently used ones. Grid view lists apps alphabetically with more horizontal space for easier scanning. Select Show all for a scrollable list of all your apps. The Start menu is also more responsive, enabling larger displays to show more pinned apps, recommendations, and categories by default. * [BATTERY] – New battery icons in the system tray utilize color indicators to show charging status and batter levels. These icons also now appear in the lower-right corner of the lock screen to make it easier to check your device’s charging status and battery level at a glance. New in Windows Server For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes. * [START MENU] [WS2025] – A Boolean option has been added to the Configure Start Pins policy to allow admins to apply Start menu pins that appear on first use. Users can then make any changes to their Start pinned layout and have those changes preserved.  * [SECURITY] [WS2025] – Explore API support for NIST post-quantum cryptography algorithms ML-KEM and ML-DSA in accordance with FIPS 203 and FIPS 204 standards. * [MANAGEMENT] – Windows Admin Center Virtualization Mode (vMode) has been released in Public Preview. Windows Admin Center vMode helps you easily manage on-premises Windows Server Hyper-V virtualization at scale – across multiple hosts and clusters – while bridging your environment with Azure Arc. Lifecycle milestones Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025. * [WINDOWS 10] – Have you taken steps to ensure that the Windows 10 devices in your organization are activated with an ESU license? If not yet, check out our step-by-step guide. Additional steps are needed to enable ESUs for local devices accessing Windows 365. * [WINDOWS 11 23H2] – Windows 11, version 23H2 (Home and Pro editions) reached end of servicing on November 11, 2025. Enterprise and Education editions will continue to receive updates through November 10, 2026 per the Modern Lifecycle Policy. * [SERVER] – Officially deprecated in Windows Server 2022, the Windows Internet Name Service (WINS) will be removed from all Windows Server releases after Windows Server 2025. Standard support will continue through the lifecycle of Windows Server 2025, which is supported until November of 2034. * [CONFIGMGR] – Starting with version 2609, Microsoft Configuration Manager will transition to an annual release cadence.  Additional resources Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources: * Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name * Microsoft 365 Copilot release notes for latest features and improvements * Windows Insider Blog for what’s available in the Canary, Dev, Beta, or Release Preview Channels * Windows Server Insider for feature preview opportunities * Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders What else can we include in this monthly summary to make it more useful? Drop us a note below with your feedback. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Join us December 2 for a Windows edition of Tech Community Live. Together, my colleagues across Windows will be answering your questions on the new features and capabilities announced at Microsoft Ignite and in recent months. This event is your opportunity to engage directly with the engineering teams behind the features and get the information you need to keep your updates flowing and your deployments progressing. Tech Community Live: Windows edition – May 31, 2023 This edition of Tech Community Live features four back-to-back Ask Microsoft Anything (AMA) sessions. Click the title(s) below to access the session pages, where you can add them to your calendar. While you’re there, sign in to—or sign up for—the Tech Community and post your questions now while they are top of mind. Once signed in, click the Attend button to let us know you’re coming and receive reminders. Time Ask Microsoft Anything about... 8:00 AM PST (4:00 PM UTC) Managing Windows updates  9:00 AM PST (5:00 PM UTC) Managing AI and agents in Windows 9:30 AM PST (5:30 PM UTC) Windows backup and restore options 10:00 AM PST (6:00 PM UTC) Windows accessibility in the enterprise How do I participate? Anyone can watch the event. To actively participate and post a question, you need to be signed in to the Tech Community. If you haven’t already signed up, select Sign in in the top right corner of this site and join the Windows community today! Once you’re signed in, scroll to the bottom of the session page and select Comment. A text box will appear. To make sure we see and can respond to each of your questions, it helps if you post each one individually as a separate comment vs. all in one bulleted or numbered list. If you find that your company’s policies prevent you from watching the live stream, you can tune in from a personal device—or join us on LinkedIn. Need captions? The live broadcast will feature live, AI-generated captions captioning. We'll then produce and post real, human-generated captions by the end of the week, including text-based transcripts, so you have an accurate recap of the questions and answers presented. What if I can't attend the live event? Not a problem. You can post your questions now—in the Comments section of the session pages—then check back at a convenient time for you. We’ll leave the Q&A open in the chat through Friday and publish a Q&A summary after the event for easy reference. Hope to see you there! Tech Community Live events are a great way to get in touch with our engineers beyond large events like Microsoft Ignite. Like our monthly Windows Office Hours, we’ll have friends from the Microsoft Intune and security teams also pitching in to help your answer questions. If there’s a specific topic you’d like us to cover in the next Windows edition of Tech Community Live, drop me your ideas in the comments. ______________________________________________________________________________________________________________________________________________________________ --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Since launching in 2021, Windows 365 has simplified secured, remote access to desktops by introducing the Cloud PC, a persistent Windows experience streamed from the Microsoft Cloud to any device anywhere. Today, we’re taking the next step to modernize shared devices and task-based workflows, making it easier for IT teams to support diverse environments while improving end-user productivity. The introduction of Windows 365 Frontline brought Cloud PCs to employees who only needed part-time or occasional access to Windows desktops, offering cost-effective and scalable cloud computing to new types of users without adding complexity. Now, we’re excited to announce powerful functionality that extends the reach of Windows 365 Frontline even further - with options to scale the service to an entire workforce. Windows 365 Cloud Apps, now generally available, uses Windows 365 Frontline in shared mode to provide users with access to individual applications, without requiring each user to have their own dedicated Cloud PC. Alongside Cloud Apps, we are launching key technical enhancements to simplify rollout and adoption, including User Experience Sync, which is now generally available, and Windows Autopilot Device Preparation profile, in public preview. User Experience Sync enables app settings and accessibility preferences to persist across sessions, delivering a personalized experience for users even in shared environments. For IT admins, Windows Autopilot Device Preparation profile simplifies provisioning by pre-installing critical apps as needed, without maintaining complex images.   Together, these capabilities in Windows 365 make it easy for IT to deploy both apps and desktops, giving users the productivity they expect from first launch — whether they need a 24/7 desktop, part-time desktop access, or even occasional access to an individual application.  Let’s take a deeper look at these capabilities and how they transform the Windows 365 experience: Just the essentials — Windows 365 Cloud Apps for task-based workflows Windows App launching Windows 365 Cloud Apps Now your workforce can quickly perform tasks by accessing the business applications they need right from the Windows App. This also delivers simplified management through Microsoft Intune, reduced infrastructure complexity, and faster deployment — all while maintaining enterprise-grade security and compliance. Windows 365 Cloud Apps are especially useful for organizations wanting to modernize legacy virtual desktop infrastructure (VDI) environments, where existing solutions can be challenging to scale and complex to manage, leading to outages, misconfigurations, or security gaps. Migrating published VDI apps to the Windows 365 service offers the advantages of Cloud PC manageability and experience, with cost-effective pricing. To learn more about Windows 365 Cloud Apps, visit Windows 365 Cloud Apps Apply a consistent experience to shared Cloud PC scenarios Shared workstations often sacrifice personalization for cost savings. With User Experience Sync, Windows 365 Frontline in shared mode delivers a consistent experience every time, reducing frustration and improving productivity for users in shared environments. It ensures that applications which save user settings or application data persist that info across sessions, and maintains other aspects of the Windows experience, such as accessibility options. We’re also investing in faster sign-in experiences across Windows 365 Frontline modes (dedicated and shared) to help users get productive from the first click, so workflows start seamlessly without delays. Screenshot of User Experience Sync admin configuration Managing cloud storage with User Experience Sync As a key component of our service offering, User Experience Sync is included at no additional cost in Windows 365 Frontline. Storage for user settings data is built in and determined by the size of the OS disk in the Cloud PC configuration. For example, Cloud PCs with a 128GB OS disk will have an additional 128GB of storage available, dedicated to User Experience Sync. This space is pooled across users, with larger disks providing greater storage capacity. IT admins can set user storage limits to match differing scenarios, monitor usage through Intune, and configure alerts when storage runs low. This storage is created during a user’s Cloud PC or app first-run experience, offering flexibility without limiting the number of assigned users. To learn more about User Experience Sync, visit User Experience Sync configuration. Screenshot of a provisioning policy, with a graph showing available and used user storage Autopilot app installs bring productivity from first use Time-to-productivity is critical for organizations of all types and sizes. Ensuring that workers have access to the applications that they need right away leads to improved employee satisfaction, enhanced security, and increased productivity. With Autopilot Device Preparation profile capabilities, IT admins can use Microsoft-provided images for Windows 365, then target an app or set of apps for automatic deployment, ensuring they are pre-installed before a user ever signs in. This reduces IT overhead and complexity, while delivering a meaningful first run experience. This is a notable improvement compared to traditional VDI, where admins often spend considerable effort maintaining sets of custom or “golden” images — and represents significant time savings for IT admins managing Windows 365. This public preview feature has now been expanded to include support for Windows 365 Enterprise and all Windows 365 Frontline Cloud PC configurations, including Windows 365 Cloud Apps. This means that IT admins can also easily deploy applications through Intune as Windows 365 Cloud Apps without taking on the complexities associated with custom image management. Get started with Windows 365 Frontline and Windows 365 Cloud Apps today With powerful new features such as Windows 365 Cloud Apps, User Experience Sync, and Autopilot Device Preparation profiles at your fingertips, there’s never been a better time to move to Windows 365. These innovations simplify deployment, reduce IT overhead, and empower your workforce with secure, flexible access to the apps and desktops it needs. To get started: * Deploy Windows 365 Cloud Apps in a Windows 365 Frontline environment to deliver task-based access to applications without dedicated Cloud PCs. * Enable User Experience Sync with Windows 365 Frontline in shared mode to give users a consistent experience across sessions. * Use Autopilot device preparation profiles to pre-install critical apps and accelerate first-use productivity for users. Start implementing these capabilities today to deliver a modern and scalable desktop or app virtualization environment. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Today at Ignite, we’re announcing new Windows recovery capabilities designed to help IT admins respond quickly — whether it’s restoring a single PC that’s misbehaving or recovering large sets of devices during a widespread outage. Device recovery scenarios vary, and customers need different tools for different situations. That’s why we’re providing a range of solutions, all managed through a familiar, centralized platform. Microsoft Intune brings these capabilities together, and other modern device management vendors can integrate similar functionality if they choose. In this blog post, we are covering the tools that are available to you this week. Stay tuned for future blog posts that will deep dive into other capabilities. Quickly recover Windows devices during a widespread outage Large outages affecting millions of devices are rare but frustrating when they can only be remediated by an in-person action. These devices are usually stuck on WinRE. That is when quick machine recovery (QMR) comes into play. QMR is a Windows capability that automatically detects, diagnoses, and remediates boot critical issues from WinRE, helping restore productivity without requiring hands on, in-person intervention. QMR is generally available and enabled by default on Windows Home and will be soon enabled on Pro devices that are not managed by IT. It requires Windows 11 24H2 or 25H2. On managed Windows Pro and Enterprise devices, QMR needs to be enabled by IT policy, and soon can be enabled just-in-time by Autopatch management. We are introducing the preview of QMR management in Windows Autopatch. Autopatch empowers IT administrators with comprehensive control over the deployment of QMR updates, including approvals, scheduling, alerting, and reporting. To discover more details, visit the Ignite Autopatch blog post and attend the Ignite breakout session BRK345: Resilient by design: How Windows has evolved with new recovery tools for a demo. Restore Windows devices to a previous state in minutes A device disruption doesn’t have to be widespread — it can strike any device at any time and cost organizations valuable time and productivity. That’s why we’re excited to introduce point-in-time restore for Windows, a new recovery capability that enables devices to be rolled back to a previous state within minutes. This feature is designed to help minimize downtime and simplify remediation, without the need for technical expertise or lengthy troubleshooting. A public preview of this feature will be available this week for Windows Insiders. Point-in-time restore will help IT admins (remotely) or end users (locally) restore a PC to a previous state from restore points stored on the device. This feature can be used to help customers recover from both widespread and one-off issues. When a device or group of devices has been suddenly impacted, point-in-time restore provides a fast way to return to productivity without waiting for a targeted fix. Point-in-time restore aims to address the need for: * Flexibility, as a restore can help resolve both isolated and widespread incidents * Fast and simple recovery in minutes without advanced troubleshooting needed. * Built‑in reliability and predictability, including recurring capture of restore points, a short restore point retention period, and disk space limits * Comprehensive rollback of the entire system to a previous state, including OS, apps, settings, configurations, and local files How is this different from System Restore? Organizations may be wondering how this capability differs from System Restore. While both point-in-time restore and system restore use Volume Shadow Copy Service and are designed to restore the system to a previous state, there are important differences: Point-in-time restore System Restore Restore points Automatic, configurable cadence. User files are included in restore point. Event-triggered or manual only. User files are excluded from restore point. Reliability Strict retention and cleanup policies No retention limits User experience Integrated in system settings Limited to control panel Fundamental impact Designed to minimize storage impact Higher impact to storage space Management Will support robust remote management capabilities Limited remote management capabilities How does this feature in Windows 11 compare to point-in-time restore for Windows 365? Both point-in-time restore for Windows and point-in-time restore for Windows 365 are designed to help organizations recover quickly from system failures, flawed updates, or user errors. While these features share the same core goal of minimizing downtime and restoring productivity during disruptions, their implementations differ due to architectural differences and design choices unique to each environment. Below are the key differences that IT administrators should be aware of when evaluating or deploying point-in-time restore across environments:   Windows client Windows 365 Feature enablement Can be enabled or disabled Always on Restore point retention Up to 72 hours Up to 1 month Restore point types Short-term only Short-term, long term, and manual Restore point sharing No sharing, restore points remain local Support sharing across Windows 365 and Azure Cloud Restore speed Likely faster due to local storage of restore point Speed is affected by network latency and bulk vs. single restores Storage constraints Bound by physical disk limits Scalable, cloud storage Limitations and risks for Windows client As with any recovery solution, it is important to be aware of some limitations and risks. * Data loss: point-in-time restore is a comprehensive recovery solution that reverts the entire system — including user files, applications, settings, passwords, secrets, certificates, and keys — to the selected restore point. Any changes made after the restore point will be lost. Data stored in cloud services such as OneDrive is not affected. * Storage constraints: restore points are stored locally and require sufficient disk space to be maintained. If available disk space becomes limited, the oldest restore points will be deleted automatically to free up space. To complete a restore, the device must have at least as much free space as the total size of all restore points on the system. * Restore points are retained for a maximum of 72 hours and are deleted after this period. * There is no guarantee that a rollback will always result in a bootable or fully functional system, as certain system states or updates may impact reliability. What will be available in the preview this week? Starting this week Windows Insiders in the Beta and Dev Channels can test point-in-time restore by installing the latest Insider Preview build for Windows 11.  Point-in-time restore settings page in System > Recovery Devices running Home, Pro or Enterprise editions of Windows will have access to view all configurations, however, only administrators will have the ability to configure the feature.  Configurations are available in Windows 11 System Settings and are outlined below: Configuration Default (preview) Options Feature On/Off On* On, Off Restore point frequency Every 24 hours 4, 6, 12, 16, 24 hours Restore point retention 72 hours 6, 12, 16, 24, 72 hours Maximum usage limit 2% of disk Percent of disk (min 2GB, max 50GB equivalent) *Only devices with a total disk size of 200GB or greater will have the feature on by default. Devices with disk sizes below 200GB can still configure the feature to be on if desired. For preview, a restore can only be triggered locally by the end user when the device is in WinRE only (remote management of this feature and triggering a restore from full Windows is not included in the preview). Point-in-time restore shown in the Troubleshoot menu for WinRE The steps to perform a point-in-time restore are below: * In WinRE select Troubleshoot > Point-in-time restore * Enter BitLocker recovery key . * Select a restore point to restore PC to the exact state it was at the time of the restore point. * Review and acknowledge the risks and limitations associated with this feature by selecting Continue. * Review the restore point selection, OS version, and warning of data loss, and select Restore to start the restore process. File your feedback via the Feedback Hub (under Recovery and Uninstall > Point-in-time restore) to help us refine and optimize this feature. Next steps Stay tuned for future enhancements as we continue to strengthen Windows resilience and support IT admins in maintaining seamless business operations. Point-in-time restore and quick machine recovery (QMR) with Autopatch are available this week — start testing both to help build your own recovery framework. Additional tools will become available in the first half of 2026. Attend the Ignite breakout session Resilient by design: How Windows has evolved with new recovery tools (BRK345) for more details and demos. The session will be recorded, so you can stream it on demand. To learn more about the Windows Resiliency Initiative, see the Windows Resiliency e-book . Disclaimer: This blog post is for informational purposes only and outlines Microsoft’s current product direction and plans. Product availability, licensing terms and capabilities may vary by region and are subject to change. All third-party trademarks are the property of their respective owners. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

The evolving threat landscape for virtualization The rapid adoption of cloud-based virtualization has transformed how organizations deliver secure, scalable workspaces. This shift has also expanded the attack surface for cybercriminals. Recent market intelligence highlights that endpoint malware like infostealers, keyloggers, screen scrapers, and ransomware continue to target user devices. This includes personal devices like those used for Bring Your Own Device (BYOD) strategies, as those unmanaged devices may be less secure and thus an easier target. Harvesting sensitive data at the endpoint device has become a top method for attackers using tools like Infostealer malware, which has become a leading threat that is used to steal sensitive data from both managed and unmanaged devices. [1] Attackers are increasingly targeting personal devices that access corporate resources, exploiting gaps in endpoint security. Shifting the trust boundary to the endpoint For organizations embracing a remote workforce, endpoint protection is no longer optional — it’s essential. While virtualization solutions secure the cloud and network layers, they cannot fully shield against threats originating on user devices.  * Malware risk: Keyloggers and screen scrapers on unmanaged endpoints can capture sensitive data before it reaches the cloud. * BYOD exposure: Personal devices often lack enterprise-grade security, creating compliance and data loss risks. * Detection delays: Endpoint breaches can go unnoticed for months, giving attackers time to harvest credentials and compromise sessions. Customers need assurance that every device connected to a cloud service meets security posture requirements. Enforcing keyboard input protection on the endpoint and verification checks from the cloud side — within the virtualized environment — offers end to end protection and closes these gaps and ensures safety guardrails are always applied, regardless of device type. This is critical for safeguarding sensitive data and maintaining compliance in a distributed workforce.  Introducing Windows Cloud Keyboard Input Protection We are excited to announce Windows Cloud I/O Protection capabilities, to help protect Windows 365 Cloud PC and Azure Virtual Desktop VM endpoints from malware and other risks stemming from inputs or displays. The first of these new capabilities is Windows Cloud Keyboard Input Protection, now in public preview, purpose-built to address endpoint security concerns for Windows 365 and Azure Virtual Desktop. It establishes a secure communication channel that begins at the endpoint device’s kernel and extends to Windows 365 Cloud PCs or Azure Virtual Desktop session host or virtual machines (VMs). Windows Cloud Keyboard Input Protection solution ensures the confidentiality and integrity of sensitive input data by encrypting user keystrokes at the kernel level and decrypting them exclusively within the remote virtual environment. As a result, unauthorized interception or manipulation of input is effectively prevented throughout the entire path—from the moment the user types until the data reaches the Cloud PC.  Solution components include: * Kernel-level encryption: A software kernel driver and system-level encryption service work together to route all keyboard inputs directly from the physical device to the Cloud PC or Azure Virtual Desktop VM’s in encrypted format. This prevents interception by OS-level malware, including keyloggers and screen scrapers. * VM-side decryption: Only the remote Cloud PC or VM can decrypt the keystrokes, ensuring that sensitive data never appears in clear text on the endpoint device. * Seamless user experience: The protection is transparent to users and IT admins, maintaining productivity while enforcing robust security without performance impact. Activating Windows Cloud Keyboard Input Protection Security IT admins can enable Windows Cloud Keyboard Input Protection using Group Policy in an Active Directory domain by opening the Group Policy Management console, navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop > Enable Keyboard Input Protection, and enabling it as shown below. IT admins can easily enable keyboard input protection for Windows 365 or Azure Virtual Desktop. After the feature is enabled, the end user with admin privileges will need to install Windows Cloud IO Protect endpoint enablement package (WCIO Protect.msi) on their physical device. This feature is supported in: * Windows Azure Virtual Desktop VMs with the latest Microsoft supported Windows Client OS versions. * Supported endpoint device OS: * Supported: Windows 11 physical devices running supported Windows App (Version should be 2.0.704.0 or newer) with Windows Cloud IO Protect msi installed on them To learn more about setting up Windows Cloud Keyboard Input Protection, visit our Learn page. How Windows Cloud Keyboard Input Protection helps With the proliferation of endpoint threats and the rise of remote work, organizations need more than just cloud security — they need endpoint-to-cloud protection. Windows Cloud IO Keyboard Input Protection delivers: * Compliance assurance: By preventing unauthorized data capture at the endpoint, organizations can better meet regulatory requirements for data protection and privacy. * Reduced breach risk: Utilizing secure communication channels from the end point kernel to the remote VM dramatically lowers the risk of credential theft and data exfiltration from resident threats. * Future-ready security: As attackers evolve, Microsoft’s approach — combining kernel-level protection, device compliance, and cloud integration — sets a new standard for secure desktop delivery. Next steps Windows Cloud Keyboard Input Protection will be rolling out to organizations using Windows 365 and Azure Virtual Desktop in the coming weeks. To learn more about this feature, and other security capabilities within Windows Cloud, please visit our resources: * Windows 365 Learn doc on Win Cloud IO Protection * For an overview of Windows 365 Security concepts, visit https://aka.ms/w365security * To see more about our Ignite announcements around Windows 365 and Azure Virtual Desktop, see our Windows blog * To see our security announcements bringing B2B and external identity support for Windows 365 and Azure Virtual Desktop, visit this blog * To learn more about the security risks and mitigations for BYOD, and how Windows 365 can help, visit https://aka.ms/w365byodebook * The 2025 Verizon Data Breach Investigations Report found that 30% of compromised systems were enterprise-licensed, while 46% were non-managed endpoints, often due to BYOD policies. ↑ --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

With Windows 365 and Azure Virtual Desktop, organizations have been able to offer Windows delivered from the cloud to users to be productive, connect to IT resources, and to securely sign in across devices. Previously, you could only do so for member users, with accounts and credentials that are fully managed in your organization. With our latest updates, you can provide access to users who are outside your organization by simply inviting them into your organization, without having to create and assign brand new, temporary accounts. We’re excited to announce: * Connecting to Windows 365 and Azure Virtual Desktop with an external identity is now generally available * Using FSLogix as a user profile management solution for external identities with Azure Virtual Desktop is now in public preview What external identity support means With support for external identities in Windows 365 and Azure Virtual Desktop, you can standardize your approach to virtualization for users that are either internal or external to your organization. External identities may include roles like contractors or third-party vendors. You can also leverage other Microsoft Entra investments for external identities: * Enforce conditional access (CA) controls specific to external identities * Enforce multi-factor authentication (MFA) registration for the external identity in your tenant * Enforce Global Secure Access (GSA) configuration on the Windows machine the external identity will be using to access your resources. Note: Because external identities are cloud-only users and do not have a representation in Windows Server Active Directory, Kerberos authentication can’t be used. In the screenshot above, you can see that Cameron Baker is originally from the Fabrikam (fabrikam.com) organization, but is seeing resources that the Contoso (windows365-demo.microsoft.com) organization has assigned to them as an external identity. Assign a resource to external identities (generally available) The admin flow for provisioning a Windows 365 Cloud PC or assigning Azure Virtual Desktop resources to an external identity is nearly identical to doing so for a member user in your tenant. The steps for assigning an external identity include: * Assigning the user the appropriate licenses. * Assigning the user to an Entra user group. * Assign the Entra user group to the Cloud PC provisioning policy or Azure Virtual Desktop application group. a.   Note: For Azure Virtual Desktop, make sure you also assign the Virtual Machine User Login Azure role-based access control (RBAC) role to the external identity on any Azure Virtual Machine (VM) they may sign in to. After completing these steps, the user can access their assigned resources, just like other assigned users in your organization. For your Windows 365 or Azure Virtual Desktop environment, make sure to consider the following: * You must configure Microsoft Entra single sign-on for the user’s connection. * The Cloud PC or Azure Virtual Desktop session host must be Entra joined. * The Cloud PC or Azure Virtual Desktop session host must be running Windows 11, version 24H2 or later with the 2025-09 Cumulative Updates for Windows 11 (KB5065789) or later installed. Configure FSLogix on Azure Files for external identities (public preview) To provide a streamlined experience in an Azure Virtual Desktop pooled environment for external identities, you can create a file share in Azure Files to store the FSLogix profiles for these identities. This capability is now in public preview. To create an SMB file share for FSLogix profiles for external identities: * Create a new storage account and file share configured to use Microsoft Entra Kerberos authentication. * (New) When assigning permissions for the file share, use the new Manage access page to assign ACLs to the Entra ID group containing your external identities. In the screenshot above, you can see the Manage access page, where each row is an individual permission added to the SMB file share. In this example, WCX-External-Identities is the Entra group containing the external identities, and they have been assigned permissions in the file share which will be used to create and access each external identity user’s FSLogix profile container. * Configure FSLogix in your session hosts to use this Azure File share. Once configured, the external identities can sign in to the Azure Virtual Desktop environment and have an FSLogix user profile just like other users in your organization. This provides a seamless experience when landing across different session hosts in the same host pool. For full step-by-step instructions, see how to Store FSLogix profile containers on Azure Files using Microsoft Entra ID. A more secure Bring Your Own Device (BYOD) strategy These capabilities can help organizations looking for a more secure BYOD experience, or when provisioning identities to a contractor, external partner, and more. To see the latest guidance from Microsoft on how to use Windows 365 to secure your BYOD strategy, visit the https://aka.ms/W365BYODeBook. Additional resources We continue to roll out more features to help organizations secure their Cloud PCs and VMs. See our other latest security announcements, here: * To see our Ignite announcements for Windows 365 and Azure Virtual Desktop, visit the Windows Experience blog here. * To learn more about new Windows Cloud input protection capabilities for Windows 365 and Azure Virtual Desktop, visit here.   --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Since we first announced Windows 365 Link — the simple, secure, purpose-built device for Windows 365 — at Microsoft Ignite last year, we have been energized to see organizations deploying it in shared spaces ranging from retail stores to factory floors and even clean rooms. We have highlighted how, according to a Microsoft commissioned Forrester TEI study, it is projected to deliver a substantial return on investment up to 195% over six years for a composite organization replacing desktops for frontline and knowledge workers.* This year at Microsoft Ignite, we’re highlighting what’s new for Windows 365 Link and diving deeper into how it can boost productivity and strengthen security while helping you optimize IT investments — particularly for your frontline. Tune into our upcoming Microsoft Ignite 2025 breakout session and read on to learn more.  “Windows 365 Link provides secure access to cloud desktops, transforming hardware-dependent services into agile, cloud-based solutions. In shared environments, it offers a low-cost alternative without sacrificing user experience. In Retail, it will boost security, supporting a zero-trust model that safeguards critical customer systems while removing friction.” - Matt Harkness, Product Manager Modern Workplace, One NZ “Regeneron uses the power of science to bring new medicines to patients in need. By standardizing on Windows 365 Link devices across our clean room environments, we’ve minimized endpoint maintenance and enabled seamless hotdesking. This shift not only lowers operational costs but also enhances compliance and manufacturing agility as we can implement data integrity controls centrally and immediately.” - Matt Humphreys, Senior Director of Global Enterprise Operations IT, Regeneron Pharmaceuticals Inc. Windows 365 Link devices are configured out of the box to receive regular updates to enhance the end-user experience and streamline IT management. Recent updates include: * Support for use with Windows 365 Reserve Cloud PCs, making Windows 365 Link a great backup option when someone’s primary desktop is unavailable due to hardware failure. * Support for voice access to enhance accessibility, enabling users to control their PC and insert text using voice commands, without needing a keyboard or mouse. * Support for smart card redirection, enabling authentication to apps and websites in a Cloud PC through a smart card reader. * Support for users with multiple Cloud PCs to choose which Cloud PC to connect to after initial sign-in. Connection Center showing multiple Cloud PCs after sign-in Looking ahead, here are some key updates targeted for release in the first quarter of 2026: * Support for pairing Bluetooth® devices during the out-of-box experience, so you can use a wireless keyboard and mouse to set up the device. * Support for tenant branding including setting a custom wallpaper, logo, and name on the sign-in screen, so you can provide a tailored experience for your employees. * The ability for IT to restore a device to its original factory default state using a bare metal recovery image, providing one more way to recover the device in case you need to join it to another tenant. * Improvements to the sign-in experience to support a broader set of interactive authentication experiences when connecting to Cloud PCs. We have heard that organizations appreciate how Windows 365 Link devices support high-fidelity Microsoft Teams meetings, and they also want support for media redirection with partner solutions. We are happy to share that Webex by Cisco and Zoom are actively working to enable high-fidelity meetings on Cloud PC devices. The Webex VDI Plugin for optimizing meeting experiences on Cloud PC devices is targeted for preview release in the first half of 2026. Additional third-party communication app providers who are interested in enabling a plugin for Windows 365 Link can reach out via this form. Windows 365 Link is now available in 13 countries and will expand early next year to seven more. If you want to purchase Windows 365 Link for desk-based and frontline users in your organization, contact your Microsoft account team or authorized resellers in Australia, Canada, Denmark, France, Germany, India, Japan, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom, and the United States. Availability will further expand to Belgium, Finland, Ireland, Italy, Poland, Singapore, and Spain starting in February 2026. *ROI estimate is based on a commissioned study conducted by Forrester Consulting on behalf of Microsoft, New Technology: The Projected Total Economic Impact™ of Windows 365 Link, July 2025. The Forrester study findings are for a composite organization with 2,000 employees, 500 contractors and $4 billion in annual revenue informed by interviews with six IT decision-makers who had experience using Windows 365 Link and survey responses from 212 IT decision-makers and end-user managers who had experience with or interest in using Windows 365 Link. ROI projections reflect perceived benefits reported by participants and are not guaranteed. --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .

As AI adoption continues to accelerate across organizations of all sizes, it is critical for IT leaders to secure their devices estate to keep their organizations protected, productive, and ahead of the curve. Managing Windows updates should be a seamless, intelligent process that empowers teams to focus on strategic priorities. That’s why Microsoft is continuing to build the future of Windows update management with Windows Autopatch, bringing improved clarity, reporting, automation, and control to update readiness. By combining real-time visibility, proactive remediation, streamlined scheduling, and resilient recovery solutions, Autopatch helps to keep your devices protected and businesses stay agile. In this post, we’ll share how these innovations are transforming IT operations, delivering peace of mind, and setting a new standard for secure, automatic Windows update management. Windows Autopatch is available for customers with Windows Enterprise, Frontline, US Government, Education and Business Premium SKUs. Learn more here. Elevate your IT experience: Autopatch brings update readiness to the forefront Every month it feels like IT environments become more complex and dynamic, creating challenging, time-consuming workloads for system administrators. Deploying at scale means IT leaders need technology that adjusts to meet fast evolving work demands. In the latest enhancements to Autopatch, update readiness is ready to give IT teams just that — the tools they need to anticipate issues, streamline deployments, and maintain organizational resilience, including reporting enhancements IT administrators have long asked for. Proactive peace of mind: Automated checks and early remediation Readiness means more than just numbers on a dashboard. Proactive checks help catch hidden prerequisites and safeguards before deployment, reducing manual troubleshooting and minimizing user disruption. Rather than fixing issues after they happen, administrators can review lists of devices that need remediation (for example, a list of devices not ready for quality updates due to prerequisites) and address issues up front, saving time and avoiding unnecessary rework. Fewer disruptions, happier users — it's a win-win. Follow every device’s journey: Streamlined troubleshooting made simple We know the complexity of your diverse environments sometimes require more than an “in progress” update status, which is why Autopatch’s new device update journey maps out every device’s progress in clear, actionable steps. Granular timelines and audit trails make it simple to spot where an update might stall, including reasons why a hotpatch couldn’t take place, so problems can be resolved quickly and confidently.  Repair with confidence IT teams can spot devices that need repair, identify any that might face update blockers, and use targeted remediations to stay secure, all through Autopatch. Actionable alerts guide administrators through each step, while integrated audit logs ensure nothing gets missed and progress is always transparent. Actionable alerts, transparent progress When something needs your attention, Autopatch makes sure you’re in the loop with actionable alerts and guided remediation. Each step is tracked, leading to a clearer IT backlog and measurable gains in compliance. Best of all? These features work with your current deployment process — no need to change how you roll out updates. Streamlined quality update scheduling and approvals Autopatch now delivers advanced, cloud-based policies for managing monthly Windows updates, empowering IT teams with precise controls and transparent reporting.  Choose between automatic or manual approvals for security, non-security, and out-of-band updates. This flexibility ensures your update workflow aligns with organizational requirements. Configure deferral settings to implement gradual rollouts, enabling prompt validation with reduced risk and minimal disruption. Autopatch enables you to pause or resume releases as needed, ensuring update deployment remains responsive to business priorities. Enhanced quality update reports offer clear visibility into deployment health, device compliance, approved updates, and actionable alerts — helping IT teams stay proactive and confident throughout the update process.  Extended security updates As Windows 10 has reached end of support, organizations need a dependable way to maintain protection while planning their upgrade path. Extended Security Updates (ESU) deliver critical fixes for devices that have not yet transitioned to Windows 11, supporting business continuity without compromise. With Autopatch, you can still stay protected— ESU integrates smoothly to provide full visibility into coverage and compliance. IT teams can monitor enrollment status through quality update reports, which clearly show devices enrolled in ESU, and receive alerts for those behind on security updates or missing ESU coverage. This proactive approach helps administrators act quickly, maintain compliance, and keep systems protected while preparing for Windows 11. Read more on upgrading to Windows 11 using Autopatch here.   Hotpatch and maintenance windows keep your business secure with minimal disruption Last year, we introduced hotpatch updates, which deliver instant security fixes without requiring device restart and reduce exposure to vulnerabilities. Since then, we have launched hotpatch updates on 64-bit ARM devices, enabling this technology on millions of devices. From your feedback we’ve heard one thing loud and clear: more disruption-free updates. Starting Q1 calendar year 2026, you will have the power to create that experience yourself with maintenance windows. It allows you to streamline all your updates from drivers, .NET, and applications to fit your business needs. You decide, down to the hour, when to restart your machines. Quick machine recovery (QMR) management in Windows Autopatch We live in a world where every minute of downtime can put business at risk, which means uninterrupted device access is crucial to maintaining productivity and organizational continuity. When critical issues in your environments lead to boot failures or outages, small or big, immediate and reliable remediation becomes imperative. Autopatch addresses this challenge with Quick Machine Recovery (QMR) management, a solution that helps recover Windows devices from boot failures (caused by us or 3rd party kernel mode drivers) during large-scale incidents through the Windows Recovery Environment, as part of our Windows Resiliency Initiative. When a large-scale outage occurs, impacted Autopatch-managed devices initiate a QMR scan to check for a Microsoft-published target fix. Based on applicability and approval settings, these fixes are deployed promptly, restoring device functionality and reducing the risk of prolonged outages. Advanced QMR deployment controls Autopatch empowers IT administrators with comprehensive control over the deployment of QMR updates. By default, all Autopatch-managed devices are QMR scan-ready, ensuring that recovery options are available whenever needed. Administrators may opt out of default scans or fine-tune approval settings within quality update policies, choosing between automatic approvals — with customizable deferral windows — or manual reviews for enhanced oversight. This flexibility allows organizations to tailor their response, balancing swift action with governance, especially during critical events. Integrated alerts and remediation reporting Beyond the boundaries of policy management, Autopatch integrates QMR with robust alerting and reporting capabilities. Administrators receive timely notifications when QMR updates become available or when prerequisites are not met, facilitating rapid intervention. The Autopatch portal provides a comprehensive view of all impacted devices, while detailed remediation reports track recovery status. These reports deliver actionable insights, highlighting successful restorations and identifying devices where further attention is required. By supporting fast, secure device recovery that aligns with organizational policies — even during large-scale boot failures — Autopatch enables IT teams to maintain a resilient Windows environment, meeting your priorities: fewer disruptions, improved business continuity, and greater confidence in your organization’s Windows update strategy. Start benefiting today — no disruption required All these capabilities significantly enhance the impact Autopatch has on your organization, so you can enjoy better visibility, proactive checks, and targeted fixes without overhauling your workflows. Designed to deliver immediate value, Autopatch helps IT teams boost confidence and minimize toil, making Windows update management simpler, more secure, and more insightful than ever. * Start using Autopatch now: Discover how here. * Get early access to Autopatch update readiness and Quality Update scheduling and approvals: Sign up now. * Join the Microsoft Customer Connection Program for exclusive opportunities to help shape our product, get early access to the roadmap, and connect with a community of IT professionals. Disclaimer: This blog post is for informational purposes only and outlines Microsoft’s current product direction and plans. Product availability, licensing terms, and capabilities may vary by region and are subject to change. All third-party trademarks are the property of their respective --- Continue the conversation. Find best practices. Bookmark the Windows Tech Community , then follow us @MSWindowsITPro on X and on LinkedIn . Looking for support? Visit Windows on Microsoft Q&A .

Windows 365 has established itself as a market leader in virtualization, empowering human users with secure, scalable Cloud PCs for productivity from any location on any device. Now, as AI evolves, a new class of computer use is emerging: AI agents that interact with computers much like people do. Agent makers — developers and organizations building these agents — are driving innovation in automation and productivity. Windows 365 for Agents extends the platform to support these new workloads, while continuing to serve human users. This opens the door to enable AI-powered systems, such as Copilots, agents, and autonomous workflows, to access a full Cloud PC.   As agent makers push the boundaries of intelligent AI systems, Windows 365 for Agents empowers them to focus on innovation — not infrastructure. Our platform reduces the complexity of compute management, delivering built-in security, scalability, and observability. These agents can browse websites, process data, and automate tasks, all within a secured, policy-controlled Cloud PC streamed from the Microsoft Cloud. Now in public preview, Windows 365 for Agents is the cloud platform designed to power computer use and help agent makers deliver the best agentic experience to organizations and end users.  Empowering agent makers Windows 365 for Agents provides a comprehensive set of APIs for agent makers to manage and utilize compute resources. Windows 365 is designed to support a broad spectrum of agent solutions, operating systems, and data access controls, empowering agent makers to innovate freely. This future-ready approach ensures that as agentic computer use needs evolve, Windows 365 will be ready to support them.  * Advanced lifecycle management Windows 365 for Agents offers end-to-end Cloud PC lifecycle management from session management and networking to capacity and regional data residency. * End-user visualization and observability The service provides agent makers the functionalities of real-time visualization with take-control experience, or audit screenshots with time stamps on demand. * Cost efficiency with pay-as-you-go pricing   Agent makers only pay for what they use, providing an affordable choice for dynamic workloads and budget-conscious teams.  * Broad OS support The Cloud PCs can operate Windows, Linux, and browser-based environments, enabling a broad range of agentic workloads including open-source and cross-platform scenarios. * Flexible data control options From enterprise-grade access control for commercial scenarios to quick start experiences for consumer offerings, Windows 365 for Agents meets agent solutions where they are. Windows 365 for Agents is the backbone of some of the most advanced Microsoft AI initiatives and partner solutions. * It serves as the execution platform for agents built into Microsoft Copilot Studio computer use — the Microsoft toolkit for building custom Copilot AI agents to automate web tasks right from a prompt. Here, Windows 365 unlocks a seamless, secure automation experience with no machine setup required. * It’s also embedded within Project Opal, a new capability in Microsoft 365 Copilot. Opal uses Windows 365 for Agents for work task completion securely and intelligently on users’ behalf, so teams can focus on what matters most. * Researcher with Computer Use in Microsoft 365 Copilot  allows users to automate website navigation and actions with real-time visualization. It is the first supported Microsoft solution that leverages Cloud PCs running a Linux environment. Copilot Studio custom agent automating tasks on managed Cloud PCs  Opal operating on a Windows 365 for Agents Cloud PC Researcher with Computer Use running Windows 365 for Agents We are excited to share that leading agent makers — Manus AI, Fellou, Genspark, Simular, and TinyFish — are already looking forward to leveraging Windows 365 for Agents to deliver next-generation AI solutions. Manus AI, for example, is using Windows 365 for non-domain-joined Cloud PCs, empowering everyday consumers to access intelligent PowerPoint creation and editing.    “Windows 365 for Agents provides the secured, scalable, and always-available compute foundation that Manus AI needs to thrive. By harnessing the power of the Cloud PC, our general AI agent can operate with greater agility, responsiveness, and reach — empowering users to access intelligent assistance wherever they work.” – Xiao Hong, CEO of Manus AI.  Manus AI integration with Windows 365 for Agents Trusted infrastructure for organizations In addition to agent makers, we developed Windows 365 for Agents to meet the complex requirements of enterprise organizations. As professional industries adopt cutting-edge AI systems for productivity, agents are held accountable to even a higher bar in security and compliance. Organizations looking to scale AI responsibly can rely on Windows 365 for:  * Enterprise-grade security & compliance   Agent sessions can be configured for enterprise-grade security and compliance, including Microsoft Entra join, Microsoft Intune management, and network configurations. * On-demand scalability   Agents can launch as many Cloud PCs as needed, supporting a wide range of workloads and parallel processes. The infrastructure is designed to scale flexibly with organizations’ needs, ensuring reliable performance for dynamic scenarios. * Seamless IT management   No new tools. No new training. IT admins can manage agent Cloud PCs just like user Cloud PCs on Intune, Microsoft 365 Admin Center, and Power Platform Admin Center — streamlined, familiar, and integrated into existing processes. We invite you to explore how Windows 365 can transform your approach to automation and AI. Get started with Copilot Studio powered by Windows 365 with 50 free hours of Cloud PC pool usage — no additional sign-up or IT setup required. Visit here to get started. If you’re an agent maker, IT leader, or developer interested in being among the first to try Windows 365 for Agents , sign up here to express your interest in our preview. Don’t miss your opportunity to shape the future of autonomous work and experience the platform that’s setting the standard for AI-powered productivity.   --- Continue the conversation, find best practices. Bookmark the Windows Tech Community , then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A .