Merge branch 'main' into remove_olympia

2025-05-12 13:27:23 +00:00 · 2022-10-04 11:28:07 -04:00 · 2022-10-04 11:28:07 -04:00 · 3019cdd287
commit 3019cdd287
parent 7953b4dac7 0bd86ab992
9 changed files with 401 additions and 232 deletions
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -90,6 +90,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
 | Brave Browser                           | 1.34.80           | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | CA Secure Browser                       | 14.0.0            | Win32    | Cambium Development          |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
 | CKAuthenticator                         | 3.6               | Win32    | Content Keeper               |
 | Class Policy                            | 114.0.0           | Win32    | Class Policy                 |
@ -133,7 +134,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Remote Help                             | 3.8.0.12          | Win32    | Microsoft                    |
 | Respondus Lockdown Browser              | 2.0.9.00          | Win32    | Respondus                    |
 | Safe Exam Browser                       | 3.3.2.413         | Win32    | Safe Exam Browser            |
 | Secure Browser                          | 14.0.0            | Win32    | Cambium Development          |
 | Senso.Cloud                             | 2021.11.15.0      | Win32    | Senso.Cloud                  |
 | SuperNova Magnifier & Screen Reader     | 21.02             | Win32    | Dolphin Computer Access      |
 | Zoom                                    | 5.9.1 (2581)      | Win32    | Zoom                         |
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -129,13 +129,13 @@
                  href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
            - name: Subscription Activation
              items:
-                - name: Windows 10/11 Subscription Activation
+                - name: Windows subscription activation
                  href: windows-10-subscription-activation.md
-                - name: Windows 10/11 Enterprise E3 in CSP
+                - name: Windows Enterprise E3 in CSP
                  href: windows-10-enterprise-e3-overview.md
-                - name: Configure VDA for Subscription Activation
+                - name: Configure VDA for subscription activation
                  href: vda-subscription-activation.md
-                - name: Deploy Windows 10/11 Enterprise licenses
+                - name: Deploy Windows Enterprise licenses
                  href: deploy-enterprise-licenses.md
        - name: Deploy Windows client updates
          items:
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@ -1,256 +1,296 @@
 ---
-title: Deploy Windows 10/11 Enterprise licenses
+title: Deploy Windows Enterprise licenses
-manager: dougeby
+description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
 ms.author: aaroncz
 description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP
 ms.prod: w10
 ms.localizationpriority: medium
 author: aczechowski
-ms.topic: article
+ms.author: aaroncz
 manager: dougeby
 ms.prod: windows-client
 ms.technology: itpro-deploy
 ms.localizationpriority: medium
 ms.topic: how-to
 ms.collection: highpri
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 ---
-# Deploy Windows 10/11 Enterprise licenses
+# Deploy Windows Enterprise licenses
-This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
 These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
 - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
 - Enterprise E3 in CSP.
 - Automatic, non-KMS activation also requires a device with a firmware-embedded activation key.
 - Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing.
 ## Enable subscription activation with an existing EA
 If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant:
 1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license:
    | SKU | Description |
    |---------|---------|
    | **AAA-51069** | `Win OLS Activation User Alng Sub Add-on E3` |
    | **AAA-51068** | `Win OLS Activation User Sub Add-on E5` |
    | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` <!-- 6783128 --> |
    > [!NOTE]
    > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 -->
 1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant.
 1. You can now assign subscription licenses to users.
 If you need to update contact information and resend the activation email, use the following process:
 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 1. Select **Subscriptions**.
 1. Select **Online Services Agreement List**.
 1. Enter your agreement number, and then select **Search**.
 1. Select the **Service Name**.
 1. In the **Subscription Contact** section, select the name listed under **Last Name**.
 1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email.
 ## Preparing for deployment: reviewing requirements
 - Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
 - Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
 For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
 ### Active Directory synchronization with Azure AD
 If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.
 **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
 :::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
 Figure 1: On-premises AD DS integrated with Azure AD
 For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
 - [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity)
 - [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 ## Assigning licenses to users
 After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service:
 :::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing.":::
 The following methods are available to assign licenses:
 - When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
 - You can sign in to the Microsoft 365 admin center and manually assign licenses:
    :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user.":::
 - You can assign licenses by uploading a spreadsheet.
 - [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx).
 > [!TIP]
 > Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/).
 ## Explore the upgrade experience
 Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition.
 > [!NOTE]
-> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context.
+> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
-> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+
-> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+### Step 1: Join Windows Pro devices to Azure AD
-> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it doesn't work on per device based licensing.
+
 You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up.
 #### Join a device to Azure AD the first time the device is started
 1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
    :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup.":::
    Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
 1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**.
    :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
    Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
 1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
    :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
    Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
 Now the device is Azure AD-joined to the organization's subscription.
 #### Join a device to Azure AD when the device is already set up with Windows 10 Pro
 > [!IMPORTANT]
-> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device isn't able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1.  If this REG_DWORD is present, it must be set to 0.
+> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
 > 
 >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".
-## Firmware-embedded activation key
+1. Go to **Settings**, select **Accounts**, and select **Access work or school**.
-To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt:
+    :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page.":::
    Figure 5: "Connect to work or school" configuration in Settings.
 1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**.
    :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
    Figure 6: Set up a work or school account.
 1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
    :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
    Figure 7: The "Let's get you signed in" window.
 Now the device is Azure AD-joined to the organization's subscription.
 ### Step 2: Pro edition activation
 If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
 ### Step 3: Sign in using Azure AD account
 Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
 :::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user.":::
 Figure 8: Sign in to Windows 10 with an Azure AD account.
 ### Step 4: Verify that Enterprise edition is enabled
 To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**.
 :::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings.":::
 Figure 9: Verify Windows 10 Enterprise subscription in Settings.
 If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
 > [!NOTE]
 > If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output:
 >
 > ```console
 > Name: Windows(R), Professional edition
 > Description: Windows(R) Operating System, RETAIL channel
 > Partial Product Key: 3V66T
 > ```
 ## Troubleshoot the user experience
 In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues:
 - The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
 - An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709.
 ### Troubleshoot common problems in the Activation pane
 Use the following figures to help you troubleshoot when users experience common problems:
 #### Device in healthy state
 The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
 :::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated.":::
 #### Device that's not activated with active subscription
 Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
 :::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active.":::
 Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings.
 It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034."
 #### Device that's activated without an Enterprise subscription
 Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
 :::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active.":::
 Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.
 It displays the following error: "Windows 10 Enterprise subscription is not valid."
 #### Device that's not activated and without an Enterprise subscription
 Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
 :::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active.":::
 Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings.
 It displays both of the previously mentioned error messages.
 ### Review requirements on devices
 Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
 Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
 Use the following procedures to review whether a particular device meets these requirements.
 #### Firmware-embedded activation key
 To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
 ```PowerShell
-(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
+(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
 ```
 If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
-## Enabling Subscription Activation with an existing EA
+#### Determine if a device is Azure AD-joined
-If you're an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
+1. Open a command prompt and enter `dsregcmd /status`.
-1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
+1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD.
-   - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
+#### Determine the version of Windows
   - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
 2. After an order is placed, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
 3. The admin can now assign subscription licenses to users.
-Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
+1. Open a command prompt and enter `winver`.
-1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+1. The **About Windows** window displays the OS version and build information.
 2. Click **Subscriptions**.
 3. Click **Online Services Agreement List**.
 4. Enter your agreement number, and then click **Search**.
 5. Click the **Service Name**.
 6. In the **Subscription Contact** section, click the name listed under **Last Name**.
 7. Update the contact information, then click **Update Contact Details**. This action will trigger a new email.
-Also in this article:
+1. Compare this information again the Windows support lifecycle:
 - [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
 - [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
-## Active Directory synchronization with Azure AD
+    - [Windows 10 release information](/windows/release-health/release-information)
-
+    - [Windows 11 release information](/windows/release-health/windows11-release-information)
 You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
 You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This synchronization means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
 **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
 ![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png)
 **Figure 1. On-premises AD DS integrated with Azure AD**
 For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
 -   [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
 -   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
 > [!NOTE]
-> If you're implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
+> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
-## Preparing for deployment: reviewing requirements
+### Delay in the activation of Enterprise license of Windows 10
-Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
-## Assigning licenses to users
+## Known issues
-Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue:
-> [!div class="mx-imgBorder"]
+- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`.
 > ![profile.](images/al01.png)
-The following methods are available to assign licenses:
+- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations.
 1. When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
 2. You can sign in to portal.office.com and manually assign licenses:
    ![portal.](images/al02.png)
 3. You can assign licenses by uploading a spreadsheet.
 4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
 5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
 ## Explore the upgrade experience
 Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices?
 ### Step 1: Join Windows 10/11 Pro devices to Azure AD
 Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later.
 **To join a device to Azure AD the first time the device is started**
 1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.<br/><br/>
    <img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
    **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
 2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.<br/><br/>
    <img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
    **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
 3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.<br/><br/>
    <img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
    **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
 Now the device is Azure AD–joined to the company’s subscription.
 **To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
 >[!IMPORTANT]
 >Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
 1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.<br/><br/>
    <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
    **Figure 5. Connect to work or school configuration in Settings**
 2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.<br/><br/>
    <img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
    **Figure 6. Set up a work or school account**
 3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.<br/><br/>
    <img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
    **Figure 7. The “Let’s get you signed in” dialog box**
 Now the device is Azure AD–joined to the company's subscription.
 ### Step 2: Pro edition activation
 > [!IMPORTANT]
 > If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
 > If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
 <br/><span id="win-10-pro-activated"/>
 <img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
 <br><strong>Figure 7a - Windows 10 Pro activation in Settings</strong> 
 Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
 ### Step 3: Sign in using Azure AD account
 Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
 <br/><img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
 **Figure 8. Sign in by using Azure AD account**
 ### Step 4: Verify that Enterprise edition is enabled
 You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
 <br/><span id="win-10-activated-subscription-active"/>
 <img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
 **Figure 9 - Windows 10 Enterprise subscription in Settings** 
 If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
 > [!NOTE]
 > If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
 > Name: Windows(R), Professional edition
 > Description: Windows(R) Operating System, RETAIL channel
 > Partial Product Key: 3V66T
 ## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
 Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
 ## Troubleshoot the user experience
 In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
 - The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later.
 - The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
 Use the following figures to help you troubleshoot when users experience these common problems:
 - [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
 - [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
    <br/><span id="win-10-not-activated"/>
    <img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
    <br><strong>Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings</strong>
 - [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
    <br/><span id="subscription-not-active"/>
    <img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
    <br><strong>Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
 - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
    <br/><span id="win-10-not-activated-subscription-not-active"/>
    <img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
    <br><strong>Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
 ### Review requirements on devices
 Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
 **To determine if a device is Azure Active Directory-joined:**
 1.  Open a command prompt and type **dsregcmd /status**.
 2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
 **To determine the version of Windows 10:**
 At a command prompt, type: **winver**
 A popup window will display the Windows 10 version number and detailed OS build information.
 If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
 ### Delay in the activation of Enterprise License of Windows 10 
 This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
--- a/windows/deployment/images/sa-pro-activation.png
+++ b/windows/deployment/images/sa-pro-activation.png
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -14,15 +14,13 @@ search.appverid:
 - MET150
 ms.topic: conceptual
 ms.date: 07/12/2022
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 ---
 # Windows subscription activation
 Applies to:
 - Windows 10
 - Windows 11
 The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
 If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
@ -100,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
 > [!IMPORTANT]
-> Currently, subscription activation is only available on commercial tenants. It's currently not available on US GCC, GCC High, or DoD tenants.
+> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
@ -218,7 +216,7 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if (
 If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 - The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -231,6 +231,30 @@ After a successful MFA, the provisioning flow asks the user to create and valida
 Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
 ## Migrate from key trust deployment model to cloud Kerberos trust
 If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
 1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
 ## Migrate from certificate trust deployment model to cloud Kerberos trust
 > [!IMPORTANT]
 > There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment.
 If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps:
 1. Disable the certificate trust policy
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
 1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
 1. Reboot or sign out and sign back in
 1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
 > [!NOTE]
 > For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC.
 ## Troubleshooting
 If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@ -85,6 +85,8 @@
      href: merge-windows-defender-application-control-policies.md
    - name: Enforce WDAC policies
      href: enforce-windows-defender-application-control-policies.md
    - name: Managing WDAC Policies with CI Tool
      href: citool-commands.md
    - name: Use code signing to simplify application control for classic Windows applications
      href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
      items:
--- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md
+++ b/windows/security/threat-protection/windows-defender-application-control/citool-commands.md
@ -0,0 +1,105 @@
 ---
 title: Managing CI Policies and Tokens with CiTool
 description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
 author: valemieux
 ms.author: jogeurte
 ms.service: security
 ms.reviewer: jogeurte
 ms.topic: how-to
 ms.date: 08/07/2022
 ms.custom: template-how-to
 ---
 # Manage Windows Defender Application Control (WDAC) Policies with CI Tool
 CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins.  CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies.  CI Tool is currently included in Windows 11, version 22H2.
 ## Policy Commands
 | Command | Description | Alias |
 |--------|---------|---------|
 | --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
 | --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
 | --list-policies | Dump information about all policies on the system, whether they are active or not | -lp |
 ## Token Commands
 | Command | Description | Alias |
 |--------|---------|---------|
 | --add-token `<Path/To/Token/File>` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
 | --remove-token `<ID>` | Remove a Token indicated by ID from the system. | -rt |
 | --list-tokens | Dump information about all tokens on the system | -lt |
 > [!NOTE]
 > Regarding --add-token, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
 ## Miscellaneous Commands
 | Command | Description | Alias |
 |--------|---------|---------|
 | --device-id | Dump the Code Integrity Device ID | -id |
 | --refresh | Attempt to Refresh WDAC Policies | -r |
 | --help | Display the tool's help menu | -h |
 ## Examples
 1. Deploy a WDAC policy onto the system
    ```powershell
    PS C:\Users\<USER> CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip"
    Operation Successful
    Press Enter to Continue
    ```
 2. Refresh the WDAC policies
    ```powershell
    PS C:\Users\<USER> CITool --refresh
    Operation Successful
    ```
 3. Remove a specific WDAC policy by its policy ID
    ```powershell
    PS C:\Users\<USER> CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}"
    Operation Successful
    Press Enter to Continue
    ```
 4. Display the help menu
    ```powershell
    PS C:\Users\<USER> CITool -h
    ----------------------------- Policy Commands ---------------------------------
      --update-policy /Path/To/Policy/File
          Add or update a policy on the current system
          aliases: -up
      --remove-policy PolicyGUID
          Remove a policy indicated by PolicyGUID from the system
          aliases: -rp
      --list-policies
          Dump information about all policies on the system, whether they be active or not
          aliases: -lp
    ----------------------------- Token Commands ---------------------------------
      --add-token Path/To/Token/File <--token-id ID>
          Deploy a token onto the current system, with an optional specific ID
              If <ID> is specified, a pre-existing token with <ID> should not exist.
          aliases:-at
      --remove-token ID
          Remove a Token indicated by ID from the system.
          aliases: -rt
      --list-tokens
          Dump information about all tokens on the system
          aliases: -lt
    ----------------------------- Misc Commands ---------------------------------
      --device-id
          Dump the Code Integrity Device Id
          aliases: -id
      --refresh
          Attempt to Refresh CI Policies
          aliases: -r
      --help
          Display this message
          aliases: -h
    ```
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@ -2,7 +2,6 @@
 title: Understanding Windows Defender Application Control (WDAC) secure settings
 description: Learn about secure settings in Windows Defender Application Control.
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: M365-security-compliance
 author: jgeurten
@ -10,6 +9,7 @@ ms.reviewer: vinpa
 ms.author: jogeurte
 manager: aaroncz
 ms.date: 10/11/2021
 ms.technology: itpro-security
 ---
 # Understanding WDAC Policy Settings