Merge branch 'main' into patch-4

windows/configuration/kiosk-single-app.md

@@ -12,7 +12,7 @@ ms.collection:
  - highpri
  - tier1
 ms.technology: itpro-configure
-ms.date: 12/31/2017
+ms.date: 06/15/2023
 ---
 
 # Set up a single-app kiosk on Windows 10/11

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -12,7 +12,7 @@ metadata:
     - highpri
     - tier3
   ms.topic: faq
-  ms.date: 04/17/2023
+  ms.date: 06/28/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
   **Applies to**
@@ -111,7 +111,7 @@ sections:
           The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
           At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: 
 
-            - *.prod.do.dsp.mp.microsoft.com
+            - `*.prod.do.dsp.mp.microsoft.com`
 
           If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
           
@@ -119,7 +119,8 @@ sections:
         answer: |
           Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. 
           If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
-          
+          Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
+         
           > [!NOTE]
           > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
       
@@ -129,4 +130,4 @@ sections:
 
       - question: What Delivery Optimization settings are available?
         answer: |
-          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. 
+          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. 

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -8,7 +8,7 @@ ms.localizationpriority: medium
 ms.author: carmenf
 ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.date: 06/28/2023
 ms.collection: tier3
 ---
 
@@ -128,11 +128,8 @@ Download mode dictates which download sources clients are allowed to use when do
 | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
 | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
-| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
+| Bypass (100) | Starting in Windows 11, this option is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. If you want to disable peer-to-peer functionality, set DownloadMode to (0). If your device doesn't have internet access, set Download Mode to (99). When you set Bypass (100), the download bypasses Delivery Optimization and uses BITS instead. You don't need to set this option if you're using Configuration Manager. |
 
-> [!NOTE]
-> Starting in Windows 11, the Bypass option of Download Mode is deprecated.
->
 > [!NOTE]
 > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
 

windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md

@@ -1,7 +1,7 @@
 ---
 title: Manage driver and firmware updates
 description: This article explains how you can manage driver and firmware updates with Windows Autopatch
-ms.date: 06/27/2023 
+ms.date: 07/04/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -18,7 +18,7 @@ ms.collection:
 # Manage driver and firmware updates (public preview)
 
 > [!IMPORTANT]
-> **This feature will be rolled out when Intune's rollout is complete**. This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
+> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
 
 You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
 

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -4,7 +4,7 @@ description: Learn how Microsoft PIN reset services enable you to help users rec
 ms.collection: 
   - highpri
   - tier1
-ms.date: 03/10/2023
+ms.date: 07/03/2023
 ms.topic: how-to
 ---
 
@@ -63,13 +63,11 @@ You may find that PIN reset from settings only works post login. Also, the lock
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
 
-
 When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
 
 Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
 
 >[!IMPORTANT]
-> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11.
 > The Microsoft PIN Reset service is not currently available in Azure Government.
 
 ### Summary

windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -66,6 +66,6 @@ To configure account lockout threshold, follow these steps:
 
 ## Why do you need a PIN to use biometrics?
 
-Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
 
 If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.

windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md

@@ -12,7 +12,7 @@ ms.topic: conceptual
 ms.date: 06/07/2023
 ---
 
-# Password must meet complexity requirements
+  # Password must meet complexity requirements
 
 **Applies to**
 -  Windows 11
@@ -30,11 +30,20 @@ The **Passwords must meet complexity requirements** policy setting determines wh
 
 2. The password contains characters from three of the following categories:
 
-   - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
-   - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
-   - Base 10 digits (0 through 9)
-   - Non-alphanumeric characters (special characters): ``(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)``
+   - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters).
+
+   - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters).
+
+   - Base 10 digits (0 through 9).
+
+   - Non-alphanumeric characters (special characters):
+
+     ```
+     '-!"#$%&()*,./:;?@[]^_`{|}~+<=>
+     ```
+
      Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
+
    - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
 
 Complexity requirements are enforced when passwords are changed or created.
@@ -104,3 +113,4 @@ The use of ALT key character combinations may greatly enhance the complexity of
 ## Related articles
 
 - [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations)
+

windows/whats-new/whats-new-windows-10-version-1909.md

@@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
 
 ### Transport Layer Security (TLS)
 
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
 
 >[!NOTE]
 >The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).