diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters.mdx
index a55d8730f678701..c05525090897874 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters.mdx
@@ -42,60 +42,36 @@ Instructs the client to direct all DNS queries to a specific [Gateway DNS locati
**Value:** Your DoH subdomain.
-## Optional fields
+## Organization parameters
-### `service_mode`
-
-Allows you to choose the operational mode of the client.
-
-**Value Type:** `string`
-
-**Value:**
-
-* `warp` — (default) [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default).
-* `1dot1` — [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh).
-* `proxy` — [Proxy mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#proxy-mode). Use the `proxy_port` parameter to specify the localhost SOCKS proxy port (between `0`-`66535`). For example,
- ```xml
- service_mode
- proxy
- proxy_port
- 44444
- ```
-* `postureonly` — [Device Information Only](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#device-information-only).
+You can use the following parameters to configure a specific Zero Trust organization.
-The service mode [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) is not currently supported as a value and must be configured in Zero Trust.
-
-### `onboarding`
-
-Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.
-
-**Value Type:** `boolean`
-
-**Value:**
-
-* `false` — Screens hidden.
-* `true` — (default) Screens visible.
-
-### `switch_locked`
-
-Allows the user to turn off the WARP switch and disconnect the client.
+### `auth_client_id`
-**Value Type:** `boolean`
+Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
+Requires the `auth_client_secret` parameter.
-**Value:**
+**Value Type:** `string`
-* `false` — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
-* `true` — The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.
+**Value:** Client ID of the service token.
-On new deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
+Example configuration:
-:::note
+```xml
+auth_client_id
+88bf3b6d86161464f6509f7219099e57.access
+auth_client_secret
+bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5
+```
+### `auth_client_secret`
-This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
+Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
+Requires the `auth_client_id` parameter.
+**Value Type:** `string`
-:::
+**Value:** Client Secret of the service token.
### `auto_connect`
@@ -113,16 +89,25 @@ If switch has been turned off by user, the client will automatically turn itself
This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
:::
-### `support_url`
-When the WARP client is deployed via MDM, the in-app **Send Feedback** button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
+### `display_name`
+
+Identifies a Zero Trust organization in the WARP GUI when WARP is deployed with [multiple organizations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/). Required if the `organization` parameter is specified within a [`configs` array](#configs).
**Value Type:** `string`
+**Value:** Organization nickname shown to users in the WARP GUI (for example, `Test environment`).
+
+### `onboarding`
+
+Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.
+
+**Value Type:** `boolean`
+
**Value:**
-* `https://` — Use an `https://` link to open your company's internal help site.
-* `mailto:` — Use a `mailto:` link to open your default mail client.
+* `false` — Screens hidden.
+* `true` — (default) Screens visible.
### `override_api_endpoint`
@@ -160,45 +145,88 @@ This functionality is intended for use with a Cloudflare China local network par
The string must be a valid IPv4 or IPv6 socket address (containing the IP address and port number), otherwise the WARP client will fail to parse the entire MDM file.
-### `unique_client_id`
+### `service_mode`
-Assigns a unique identifier to the device for the [device UUID posture check](/cloudflare-one/identity/devices/warp-client-checks/device-uuid).
+Allows you to choose the operational mode of the client.
**Value Type:** `string`
-**Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).
+**Value:**
-### `auth_client_id`
+* `warp` — (default) [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default).
+* `1dot1` — [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh).
+* `proxy` — [Proxy mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#proxy-mode). Use the `proxy_port` parameter to specify the localhost SOCKS proxy port (between `0`-`66535`). For example,
+ ```xml
+ service_mode
+ proxy
+ proxy_port
+ 44444
+ ```
+* `postureonly` — [Device Information Only](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#device-information-only).
-Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
-Requires the `auth_client_secret` parameter.
+The service mode [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) is not currently supported as a value and must be configured in Zero Trust.
+
+
+### `support_url`
+
+When the WARP client is deployed via MDM, the in-app **Send Feedback** button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
**Value Type:** `string`
-**Value:** Client ID of the service token.
+**Value:**
-Example configuration:
+* `https://` — Use an `https://` link to open your company's internal help site.
+* `mailto:` — Use a `mailto:` link to open your default mail client.
-```xml
-auth_client_id
-88bf3b6d86161464f6509f7219099e57.access
-auth_client_secret
-bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5
-```
-### `auth_client_secret`
+### `switch_locked`
-Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
-Requires the `auth_client_id` parameter.
+Allows the user to turn off the WARP switch and disconnect the client.
-**Value Type:** `string`
+**Value Type:** `boolean`
-**Value:** Client Secret of the service token.
+**Value:**
-### `display_name`
+* `false` — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
+* `true` — The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.
+
+On new deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
+
+:::note
+This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
+:::
+
+### `unique_client_id`
-When WARP is deployed with [multiple organizations or configurations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/), this parameter is used to identify each configuration in the GUI.
+Assigns a unique identifier to the device for the [device UUID posture check](/cloudflare-one/identity/devices/warp-client-checks/device-uuid).
**Value Type:** `string`
-**Value:** Configuration name shown in the GUI (for example, `Test environment`).
+**Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).
+
+## Top-level parameters
+
+Top-level parameters determine how WARP manages device registrations.
+
+### `configs`
+
+Allows a user to [switch between Zero Trust organizations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/) in the WARP client GUI. The `configs` array is also required when using another [top-level parameter](#top-level-parameters) such as `multi_user` or `pre_login`, even if only one organization is specified.
+
+**Value Type:** `array`
+
+**Value:** An array containing one or more Zero Trust organizations.
+
+### `multi_user`
+
+Enables multiple user registrations on a Windows device.
+
+**Value Type:** `boolean`
+
+**Value:**
+
+* `false` — (default) Only one WARP registration is stored per device. After a user logs in to WARP, their settings and identity will apply to all traffic from the device.
+* `true` — Each Windows user has their own WARP registration. For more information, refer to [Multiple users on a Windows device](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/).
+
+### `pre_login`
+
+Allows WARP to connect with a service token before a user completes the initial Windows login. For more information, refer to [Connect WARP before Windows login](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/).
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations.mdx
index 3e23bdb1be042f3..b1b82e759c3f9b6 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations.mdx
@@ -44,32 +44,35 @@ An MDM file supports a maximum of 25 configurations. The following example inclu
```xml
-
-
- organization
- mycompany
- display_name
- Production environment
-
-
- organization
- mycompany
- override_api_endpoint
- 203.0.113.0
- override_doh_endpoint
- 203.0.113.0
- override_warp_endpoint
- 203.0.113.0:2408
- display_name
- Cloudflare China network
-
-
- organization
- test-org
- display_name
- Test environment
-
-
+
+ configs
+
+
+ organization
+ mycompany
+ display_name
+ Production environment
+
+
+ organization
+ mycompany
+ override_api_endpoint
+ 203.0.113.0
+ override_doh_endpoint
+ 203.0.113.0
+ override_warp_endpoint
+ 203.0.113.0:2408
+ display_name
+ Cloudflare China network
+
+
+ organization
+ test-org
+ display_name
+ Test environment
+
+
+
```
@@ -89,32 +92,35 @@ An MDM file supports a maximum of 25 configurations. The following example inclu
```xml
-
-
- organization
- mycompany
- display_name
- Production environment
-
-
- organization
- mycompany
- override_api_endpoint
- 203.0.113.0
- override_doh_endpoint
- 203.0.113.0
- override_warp_endpoint
- 203.0.113.0:2408
- display_name
- Cloudflare China network
-
-
- organization
- test-org
- display_name
- Test environment
-
-
+
+ configs
+
+
+ organization
+ mycompany
+ display_name
+ Production environment
+
+
+ organization
+ mycompany
+ override_api_endpoint
+ 203.0.113.0
+ override_doh_endpoint
+ 203.0.113.0
+ override_warp_endpoint
+ 203.0.113.0:2408
+ display_name
+ Cloudflare China network
+
+
+ organization
+ test-org
+ display_name
+ Test environment
+
+
+
```
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser.mdx
new file mode 100644
index 000000000000000..7a318c6cac90fca
--- /dev/null
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser.mdx
@@ -0,0 +1,113 @@
+---
+pcx_content_type: concept
+title: Multiple users on a Windows device
+sidebar:
+ order: 3
+ badge:
+ variant: tip
+ text: Beta
+---
+
+import { Details, Render, Badge } from "~/components";
+
+
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| All modes | All plans |
+
+| System | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows | ✅ | 2024.12.326.1 |
+| macOS | ❌ | |
+| Linux | ❌ | |
+| iOS | ❌ | |
+| Android | ❌ | |
+| ChromeOS | ❌ | |
+
+
+
+Cloudflare WARP supports multiple user registrations on a single Windows device. When deployed in multi-user mode, the WARP client will automatically switch user registrations after a user logs in to their Windows account. All traffic to Cloudflare will be attributed to the currently active Windows user. This allows administrators to apply identity-based policies and device settings, audit user activity, and remove individual users from a shared workstation.
+
+:::note
+A user must log out of their Windows account before switching to another account. A user cannot lock the screen and log in to another account, use the **Switch users** option in Windows, or have any other type of concurrent sessions.
+:::
+
+## Enable multi-user mode
+
+To enable multi-user support on Windows, [deploy an MDM file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#windows) onto the device with the `multi_user` key set to `true`. For example:
+
+```xml
+
+ multi_user
+
+
+ configs
+
+
+ organization
+ your-team-name
+ display_name
+ Default
+
+
+
+```
+
+To use multi-user mode alongside the [Windows pre-login](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/) and [Switch between Zero Trust organizations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/) options:
+
+```xml
+
+ multi_user
+
+ pre_login
+
+ organization
+ mycompany
+ auth_client_id
+ 88bf3b6d86161464f6509f7219099e57.access
+ auth_client_secret
+ bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5
+
+ configs
+
+
+ organization
+ mycompany
+ display_name
+ Production environment
+
+
+ organization
+ test-org
+ display_name
+ Test environment
+
+
+
+```
+
+When enabling multi-user mode for the first time, users will need to re-register even if they had a previous registration.
+
+## WARP registration logic
+
+The following flowchart shows how WARP registration settings take effect as users log in and out:
+
+```mermaid
+flowchart TB
+ start(["Enable multi-user mode"])-->reg["Active Windows user is prompted to register WARP"]
+ reg--"Log out of Windows"-->prelogin
+
+ subgraph preloginbehavior["Windows login screen"]
+ prelogin{{"Is there a pre-login
registration?"}}
+ preloginyes["Use pre-login settings"]
+ prelogin--"Yes"-->preloginyes
+ prelogin-. "No" .->preloginno
+ preloginno["Stay registered as
previous Windows user"]
+ end
+
+ preloginbehavior--"Log in to Windows"---->regexists{{"Has the user already registered with WARP?"}}
+ regexists--"Yes"-->user["Switch to that user's registration"]
+ regexists-. "No" .->reg
+```
+
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx
index 951660834016e07..a04dff999b5c075 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx
@@ -18,10 +18,6 @@ The WARP client does not run on Windows Server. Refer to the [downloads page](/c
[Managed network detection](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/) will not work when the TLS certificate is served from IIS 8.5 on Windows Server 2012 R2. To work around the limitation, move the certificate to a different host.
-## Multi-user support on Windows
-
-The WARP client does not support multiple users on a single Windows device. WARP uses hard-coded global paths to store settings and keys and does not save information on a per-user basis. Therefore, after one user logs into WARP, their settings will apply to all traffic from the device.
-
## nslookup on Windows in DoH mode
On Windows devices in [Gateway with DoH mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh), `nslookup` by default sends DNS requests to the [WARP local DNS proxy](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#dns-traffic) over IPv6. However, because WARP uses an IPv4-mapped IPv6 address (instead of a real IPv6 address), `nslookup` will not recognize this address type and the query will fail: