Merge pull request #5378 from MicrosoftDocs/dh-windows-pr-repo-health

Dh windows pr repo health

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -63,7 +63,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
     > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
 
 > [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
 
 ### Enable Windows Defender Credential Guard by using the registry
 

windows/security/identity-protection/hello-for-business/hello-deployment-issues.md

@@ -76,26 +76,27 @@ Applies to:
 Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
 
 For more information, read [Guidelines for enabling smart card logon with third-party certification authorities](
-https://docs.microsoft.com/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
+/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
 
 ### Identifying On-premises Resource Access Issues with Third-Party CAs
 
 This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information:
 
-    Log Name:      Microsoft-Windows-Kerberos/Operational
+```console
-    Source:        Microsoft-Windows-Security-Kerberos
+Log Name:      Microsoft-Windows-Kerberos/Operational
-    Event ID:      107
+Source:        Microsoft-Windows-Security-Kerberos
-    GUID:          {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} 
+Event ID:      107
-    Task Category: None
+GUID:          {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} 
-    Level:         Error
+Task Category: None
-    Keywords:      
+Level:         Error
-    User:          SYSTEM
+Keywords:      
-    Description:
+User:          SYSTEM
+Description:
 
-    The Kerberos client received a KDC certificate that does not have a matched domain name.
+The Kerberos client received a KDC certificate that does not have a matched domain name.
-    
+Expected Domain Name: ad.contoso.com
-    Expected Domain Name: ad.contoso.com
+Error Code: 0xC000006D
-    Error Code: 0xC000006D
+ ```
 
 ### Resolving On-premises Resource Access Issue with Third-Party CAs
 
@@ -144,50 +145,54 @@ AD FS running on Windows Server 2019 fails to complete device authentication pro
 
 The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*.
 
-    Log Name:      Microsoft-Windows-User Device Registration/Admin
+```console
-    Source:        Microsoft-Windows-User Device Registration
+Log Name:      Microsoft-Windows-User Device Registration/Admin
-    Date:          <Date and time>
+Source:        Microsoft-Windows-User Device Registration
-    Event ID:      362
+Date:          <Date and time>
-    Task Category: None
+Event ID:      362
-    Level:         Warning
+Task Category: None
-    Keywords:     
+Level:         Warning
-    User:          <User SID>
+Keywords:     
-    Computer:      <Computer name>
+User:          <User SID>
-    Description:
+Computer:      <Computer name>
-    Windows Hello for Business provisioning will not be launched.
+Description:
-    Device is AAD joined ( AADJ or DJ++ ): Yes
+Windows Hello for Business provisioning will not be launched.
-    User has logged on with AAD credentials: Yes
+Device is AAD joined ( AADJ or DJ++ ): Yes
-    Windows Hello for Business policy is enabled: Yes
+User has logged on with AAD credentials: Yes
-    Windows Hello for Business post-logon provisioning is enabled: Yes
+Windows Hello for Business policy is enabled: Yes
-    Local computer meets Windows hello for business hardware requirements: Yes
+Windows Hello for Business post-logon provisioning is enabled: Yes
-    User is not connected to the machine via Remote Desktop: Yes
+Local computer meets Windows hello for business hardware requirements: Yes
-    User certificate for on premise auth policy is enabled: Yes
+User is not connected to the machine via Remote Desktop: Yes
-    Enterprise user logon certificate enrollment endpoint is ready: Not Tested
+User certificate for on premise auth policy is enabled: Yes
-    Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) 
+Enterprise user logon certificate enrollment endpoint is ready: Not Tested
-    User has successfully authenticated to the enterprise STS: No
+Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) 
-    Certificate enrollment method: enrollment authority
+User has successfully authenticated to the enterprise STS: No
-    See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
+Certificate enrollment method: enrollment authority
+See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
+```
 
 If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration.
 
 If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http<span>://schemas.microsoft.com/ws/2009/12/identityserver/selfscope</span>' with scope 'ugs':
 
-    Log Name:      AD FS/Admin
+```console
-    Source:        AD FS
+Log Name:      AD FS/Admin
-    Date:          <Date and time>
+Source:        AD FS
-    Event ID:      1021
+Date:          <Date and time>
-    Task Category: None
+Event ID:      1021
-    Level:         Error
+Task Category: None
-    Keywords:      AD FS
+Level:         Error
-    User:          <ADFS service Account>
+Keywords:      AD FS
-    Computer:      <Date and time>
+User:          <ADFS service Account>
-    Description:
+Computer:      <Date and time>
-    Encountered error during OAuth token request.
+Description:
-    Additional Data
+Encountered error during OAuth token request.
-    Exception details:
+Additional Data
-    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'.
+Exception details:
+Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'.
        at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId)
        at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
+```
 
 ### Resolving Certificate Trust with AD FS 2019 Enrollment Issue
 

windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md

@@ -26,9 +26,8 @@ This article depicts the BitLocker deployment comparison chart.
 
 ## BitLocker deployment comparison chart
 
-|  |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
+| Requirements |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
 |---------|---------|---------|---------|
-|**Requirements**||||
 |Minimum client operating system version     |Windows 10     | Windows 10 and Windows 8.1  | Windows 7 and later        |
 |Supported Windows 10 SKUs     |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
 |Minimum Windows 10 version     |1909   |    None     |    None     |