Merge pull request #7551 from MicrosoftDocs/main

Publish 11/21/2022 3:30 PM PT

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -1457,9 +1457,11 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 Set this policy to restrict peer selection via selected option.
-Options available are: 1=Subnet mask (more options will be added in a future release).
+In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery".
 
-Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
+If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+
+The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1474,7 +1476,9 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
--   1 - Subnet mask.
+-   0 - NAT
+-   1 - Subnet mask
+-   2 - Local Peer Discovery
 
 <!--/SupportedValues-->
 <!--/Policy-->

windows/client-management/mdm/policy-csp-internetexplorer.md

@@ -4426,7 +4426,7 @@ The following list shows the supported values:
 ADMX Info:
 -   GP Friendly name: *Enable extended hot keys in Internet Explorer mode*
 -   GP name: *EnableExtendedIEModeHotkeys*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
+-   GP path: *Windows Components/Internet Explorer/Main*
 -   GP ADMX file name: *inetres.admx*
 
 <!--/ADMXBacked-->

windows/client-management/mdm/policy-csp-kioskbrowser.md

@@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol
 
 <!--/Scope-->
 <!--Description-->
-List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to.
+List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character.
 
 > [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i
 
 ## Related topics
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-localusersandgroups.md

@@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
 
 Example 1: Azure Active Directory focused.
 
-The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
 
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "U" />
         <add member = "AzureAD\bob@contoso.com"/>
         <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
@@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac
 Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account.
 
 > [!NOTE]
-> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
+> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
 
 Example:
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "R" />
         <add member = "AzureAD\bob@contoso.com"/>
         <add member = "Administrator"/>
@@ -134,11 +134,11 @@ Example:
 
 Example 3: Update action for adding and removing group members on a hybrid joined machine.
 
-The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
+The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "U" />
         <add member = "Contoso\ITAdmins"/>
         <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>

windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md

@@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s
 
 ### Possible values
 
--   A user-defined number of minutes from 0 through 99,999
+-   A user-defined number of minutes from 0 through 99,999.
 
-    For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy.
+    For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy.
 
 -   Not defined
 

windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md

@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
 
 The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
 
-1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive.
+1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
 
     The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
     The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.

windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md

@@ -229,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
 
 ### VSCodeInstall.cmd
 
+Download vscode to `downloads` folder and run from `downloads` folder
+
 ```batch
 REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
 
 REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
+C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
 ```
 
 ### VSCode.wsb
@@ -244,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
   <MappedFolders>
     <MappedFolder>
       <HostFolder>C:\SandboxScripts</HostFolder>
+      <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads\sandbox</SandboxFolder>
       <ReadOnly>true</ReadOnly>
     </MappedFolder>
     <MappedFolder>
       <HostFolder>C:\CodingProjects</HostFolder>
+      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\Projects</SandboxFolder>
       <ReadOnly>false</ReadOnly>
     </MappedFolder>
   </MappedFolders>
   <LogonCommand>
-    <Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
+    <Command>C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd</Command>
   </LogonCommand>
 </Configuration>
 ```