[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619091)| -|Ralink|Wireless-G PCI Adapter|pci\ven_1814&dev_0301&subsys_00551737&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619092)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619093)| -|Ralink|Turbo Wireless LAN Card|pci\ven_1814&dev_0301&subsys_25611814&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619094)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619095)| -|Ralink|Wireless LAN Card V1|pci\ven_1814&dev_0302&subsys_3a711186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)| -|Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)|
-
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
-
-### Application installation and domain join
-
-Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
-
-### Management of Windows To Go using Group Policy
-
-In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor.
-
-The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:
-
-**Settings for workspaces**
-
-- **Allow hibernate (S4) when started from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs.
-
- > [!IMPORTANT]
- > For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
-
-- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
-
-**Settings for host PCs**
-
-- **Windows To Go Default Startup Options**
-
- This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
-
- > [!IMPORTANT]
- > Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
-
-## Supporting booting from USB
-
-The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB.
-
-> [!NOTE]
-> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
-
-If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
-### Roaming between different firmware types
-
-Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
-
-
-
-This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
-
-To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
-
-
-
-This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
-
-### Configure Windows To Go startup options
-
-Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
-
-**To configure Windows To Go startup options**
-
-1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter.
-
- 
-
-2. Select **Yes** to enable the startup options.
-
- > [!TIP]
- > If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.
-
-3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**.
-
-### Change firmware settings
-
-If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
-
-## Related topics
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index a6299026c3..e37786a9a6 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index a39866b132..7155581ea8 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Fixing Applications by Using the SUA Tool
diff --git a/windows/deployment/planning/images/wtg-first-boot-home.gif b/windows/deployment/planning/images/wtg-first-boot-home.gif
deleted file mode 100644
index 46cd605a2e..0000000000
Binary files a/windows/deployment/planning/images/wtg-first-boot-home.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-first-boot-work.gif b/windows/deployment/planning/images/wtg-first-boot-work.gif
deleted file mode 100644
index c1a9a9d31d..0000000000
Binary files a/windows/deployment/planning/images/wtg-first-boot-work.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-gpt-uefi.gif b/windows/deployment/planning/images/wtg-gpt-uefi.gif
deleted file mode 100644
index 2ff2079a3c..0000000000
Binary files a/windows/deployment/planning/images/wtg-gpt-uefi.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-image-deployment.gif b/windows/deployment/planning/images/wtg-image-deployment.gif
deleted file mode 100644
index d622911f3e..0000000000
Binary files a/windows/deployment/planning/images/wtg-image-deployment.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-mbr-bios.gif b/windows/deployment/planning/images/wtg-mbr-bios.gif
deleted file mode 100644
index b93796944a..0000000000
Binary files a/windows/deployment/planning/images/wtg-mbr-bios.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif b/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif
deleted file mode 100644
index f21592c310..0000000000
Binary files a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif and /dev/null differ
diff --git a/windows/deployment/planning/images/wtg-startup-options.gif b/windows/deployment/planning/images/wtg-startup-options.gif
deleted file mode 100644
index 302da78ea6..0000000000
Binary files a/windows/deployment/planning/images/wtg-startup-options.gif and /dev/null differ
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index 2cf46ee778..a50feb249b 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Install/Uninstall Custom Databases (Windows 10)
description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 9c90b3ca24..69b7bd6cd3 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -3,11 +3,11 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Window
description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Managing Application-Compatibility Fixes and Custom Fix Databases
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
deleted file mode 100644
index 5f5b94be3f..0000000000
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Prepare your organization for Windows To Go (Windows 10)
-description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Prepare your organization for Windows To Go
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go.
-
-## What is Windows To Go?
-
-Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. A Windows To Go workspace isn't intended to replace desktops or laptops, or supplant other mobility offerings.
-
-Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
-
-- USB boot capable
-- Have USB boot enabled in the firmware
-- Meet Windows 7 minimum system requirements
-- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM isn't a supported processor for Windows To Go.
-- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
-
-Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
-
-The following articles will familiarize you with how you can use a Windows To Go workspace. They also give you an overview of some of the things you should consider in your design.
-
-## Usage scenarios
-
-
-The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
-
-- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection, or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
-
-- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker. Then they can be assisted with any necessary other user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive. And run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer.
-
-- **Managed free seating.** The employee is issued a Windows To Go drive. This drive is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return, they use the same USB flash drive but use a different host computer.
-
-- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work. This boot caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
-
-- **Travel lightly.** In this situation, you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
-
-> [!NOTE]
-> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object isn't potentially deleted from Active Directory Domain Services (AD DS).
-
- ## Infrastructure considerations
-
-Because Windows To Go requires no other software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no other infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
-
-## Activation considerations
-
-Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This method is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office).
-
-You should investigate other software manufacturer's licensing requirements to ensure they're compatible with roaming usage before deploying them to a Windows To Go workspace.
-
-> [!NOTE]
-> Using Multiple Activation Key (MAK) activation isn't a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
-
- For more information about these activation methods and how they can be used in your organization, see [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)).
-
-## Organizational unit structure and use of Group Policy Objects
-
-You may find it beneficial to create other Active Directory organizational unit (OU) structures to support your Windows To Go deployment: one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers that can boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
-
-If you're deploying Windows To Go workspaces for a scenario in which they're not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
-
-For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-## Computer account management
-
-If you configure Windows To Go drives for scenarios where drives may remain unused for extended periods of time such as used in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule, or modify any maintenance scripts to not clean computer accounts in the Windows To Go device organizational unit.
-
-## User account and data management
-
-People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to be able to get to the data that they work with, and to keep it accessible when the workspace isn't being used. For this reason, we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
-
-Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
-
-## Remote connectivity
-
-If you want Windows To Go to be able to connect back to organizational resources when it's being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)).
-
-## Related articles
-
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 826f2dfc4c..aa27616363 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -3,11 +3,11 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows
description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Searching for Fixed Applications in Compatibility Administrator
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 4c0f2e2689..847fb0731b 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compat
description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
deleted file mode 100644
index b376163521..0000000000
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Security and data protection considerations for Windows To Go (Windows 10)
-description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
-ms.date: 12/31/2017
----
-
-# Security and data protection considerations for Windows To Go
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
-
-## Backup and restore
-
-When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
-
-If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
-
-## BitLocker
-
-We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
-
-You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
-
-> [!Tip]
-> If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
-
-When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode.
-
-## Disk discovery and data leakage
-
-We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
-
-To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)).
-
-## Security certifications for Windows To Go
-
-Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider's specific hardware environment. For more information about Windows security certifications, see the following articles.
-
-- [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria)
-
-- [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation)
-
-## Related articles
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-
-
-
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 25850695fc..cb8a3ebc82 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Showing Messages Generated by the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Showing Messages Generated by the SUA Tool
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 4f53104c76..47b4ffba5c 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -3,11 +3,11 @@ title: SUA User's Guide (Windows 10)
description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# SUA User's Guide
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index a2dff7087c..c6af910322 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -3,11 +3,11 @@ title: Tabs on the SUA Tool Interface (Windows 10)
description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Tabs on the SUA Tool Interface
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index b2ff9f8850..481d2ce883 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -3,11 +3,11 @@ title: Testing Your Application Mitigation Packages (Windows 10)
description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Testing Your Application Mitigation Packages
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index ee6976fca5..7327ff75b9 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -3,10 +3,10 @@ title: Understanding and Using Compatibility Fixes (Windows 10)
description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index cb156708b7..d3c2f77b38 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -3,11 +3,11 @@ title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the Compatibility Administrator Tool
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index f6e1a6fbee..2ae090b3f3 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -3,11 +3,11 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the Sdbinst.exe Command-Line Tool
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 5b72bfbc4b..043d002305 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -3,11 +3,11 @@ title: Using the SUA Tool (Windows 10)
description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the SUA Tool
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index ce121c5440..8f7ed9170b 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -3,11 +3,11 @@ title: Using the SUA wizard (Windows 10)
description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Using the SUA wizard
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 44cf622430..38b8b8cf10 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -3,10 +3,10 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index e444794da2..83227970dd 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -3,11 +3,11 @@ title: Windows 10 compatibility (Windows 10)
description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index b3911601ff..434b7da17f 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -3,11 +3,11 @@ title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 853855b43b..3dee852942 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -3,8 +3,8 @@ metadata:
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
- ms.prod: windows-client
- ms.technology: itpro-deploy
+ ms.service: windows-client
+ ms.subservice: itpro-deploy
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 7341f4b302..06a835b0ba 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -3,11 +3,11 @@ title: Windows 10 infrastructure requirements (Windows 10)
description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
deleted file mode 100644
index 4907345be4..0000000000
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ /dev/null
@@ -1,455 +0,0 @@
-### YamlMime:FAQ
-metadata:
- title: Windows To Go frequently asked questions (Windows 10)
- description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature.
- ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
- ms.reviewer:
- author: frankroj
- ms.author: frankroj
- manager: aaroncz
- keywords: FAQ, mobile, device, USB
- ms.prod: windows-client
- ms.technology: itpro-deploy
- ms.mktglfcycl: deploy
- ms.pagetype: mobility
- ms.sitesec: library
- audience: itpro
- ms.topic: faq
- ms.date: 10/28/2022
-title: 'Windows To Go: frequently asked questions'
-summary: |
- **Applies to**
-
- - Windows 10
-
- > [!IMPORTANT]
- > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
- The following list identifies some commonly asked questions about Windows To Go.
-
- - [What is Windows To Go?](#what-is-windows-to-go-)
-
- - [Does Windows To Go rely on virtualization?](#does-windows-to-go-rely-on-virtualization-)
-
- - [Who should use Windows To Go?](#who-should-use-windows-to-go-)
-
- - [How can Windows To Go be deployed in an organization?](#how-can-windows-to-go-be-deployed-in-an-organization-)
-
- - [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#is-windows-to-go-supported-on-both-usb-2-0-and-usb-3-0-drives-)
-
- - [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#is-windows-to-go-supported-on-usb-2-0-and-usb-3-0-ports-)
-
- - [How do I identify a USB 3.0 port?](#how-do-i-identify-a-usb-3-0-port-)
-
- - [Does Windows To Go run faster on a USB 3.0 port?](#does-windows-to-go-run-faster-on-a-usb-3-0-port-)
-
- - [Can the user self-provision Windows To Go?](#can-the-user-self-provision-windows-to-go-)
-
- - [How can Windows To Go be managed in an organization?](#how-can-windows-to-go-be-managed-in-an-organization-)
-
- - [How do I make my computer boot from USB?](#how-do-i-make-my-computer-boot-from-usb-)
-
- - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-)
-
- - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-)
-
- - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-)
-
- - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
-
- - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-)
-
- - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-)
-
- - [Does Windows To Go support crash dump analysis?](#does-windows-to-go-support-crash-dump-analysis-)
-
- - [Do "Windows To Go Startup Options" work with dual boot computers?](#do--windows-to-go-startup-options--work-with-dual-boot-computers-)
-
- - [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#i-plugged-my-windows-to-go-drive-into-a-running-computer-and-i-can-t-see-the-partitions-on-the-drive--why-not-)
-
- - [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#i-m-booted-into-windows-to-go--but-i-can-t-browse-to-the-internal-hard-drive-of-the-host-computer--why-not-)
-
- - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#why-does-my-windows-to-go-drive-have-an-mbr-disk-format-with-a-fat32-system-partition-)
-
- - [Is Windows To Go secure if I use it on an untrusted machine?](#is-windows-to-go-secure-if-i-use-it-on-an-untrusted-computer-)
-
- - [Does Windows To Go work with ARM processors?](#does-windows-to-go-work-with-arm-processors-)
-
- - [Can I synchronize data from Windows To Go with my other computer?](#can-i-synchronize-data-from-windows-to-go-with-my-other-computer-)
-
- - [What size USB Flash Drive do I need to make a Windows To Go drive?](#what-size-usb-flash-drive-do-i-need-to-make-a-windows-to-go-drive-)
-
- - [Do I need to activate Windows To Go every time I roam?](#do-i-need-to-activate-windows-to-go-every-time-i-roam-)
-
- - [Can I use all Windows features on Windows To Go?](#can-i-use-all-windows-features-on-windows-to-go-)
-
- - [Can I use all my applications on Windows To Go?](#can-i-use-all-my-applications-on-windows-to-go-)
-
- - [Does Windows To Go work slower than standard Windows?](#does-windows-to-go-work-slower-than-standard-windows-)
-
- - [If I lose my Windows To Go drive, will my data be safe?](#if-i-lose-my-windows-to-go-drive--will-my-data-be-safe-)
-
- - [Can I boot Windows To Go on a Mac?](#can-i-boot-windows-to-go-on-a-mac-)
-
- - [Are there any APIs that allow applications to identify a Windows To Go workspace?](#are-there-any-apis-that-allow-applications-to-identify-a-windows-to-go-workspace-)
-
- - [How is Windows To Go licensed?](#how-is-windows-to-go-licensed-)
-
- - [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#does-windows-recovery-environment-work-with-windows-to-go--what-s-the-guidance-for-recovering-a-windows-to-go-drive-)
-
- - [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#why-won-t-windows-to-go-work-on-a-computer-running-windows-xp-or-windows-vista-)
-
- - [Why does the operating system on the host computer matter?](#why-does-the-operating-system-on-the-host-computer-matter-)
-
- - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-)
-
- - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-)
-
- - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-)
-
- - [How do I upgrade the operating system on my Windows To Go drive?](#how-do-i-upgrade-the-operating-system-on-my-windows-to-go-drive-)
-
-
-sections:
- - name: Ignored
- questions:
- - question: |
- What is Windows To Go?
- answer: |
- Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
-
- - question: |
- Does Windows To Go rely on virtualization?
- answer: |
- No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
-
- - question: |
- Who should use Windows To Go?
- answer: |
- Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home.
-
- - question: |
- How can Windows To Go be deployed in an organization?
- answer: |
- Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are:
-
- - A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
-
- - A Windows 10 Enterprise or Windows 10 Education image
-
- - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
-
- You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
-
- - question: |
- Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
- answer: |
- No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go.
-
- - question: |
- Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
- answer: |
- Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
-
- - question: |
- How do I identify a USB 3.0 port?
- answer: |
- USB 3.0 ports are usually marked blue or carry an SS marking on the side.
-
- - question: |
- Does Windows To Go run faster on a USB 3.0 port?
- answer: |
- Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace.
-
- - question: |
- Can the user self-provision Windows To Go?
- answer: |
- Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases include support for user self-provisioning of Windows To Go drives.
-
- - question: |
- How can Windows To Go be managed in an organization?
- answer: |
- Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
-
- - question: |
- How do I make my computer boot from USB?
- answer: |
- For host computers running Windows 10
-
- - Using Cortana, search for **Windows To Go startup options**, and then press Enter.
- - In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
-
- For host computers running Windows 8 or Windows 8.1:
-
- Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
-
- In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB.
-
- > [!NOTE]
- > Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization.
-
-
-
- If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
-
- To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.)
-
- After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
-
- Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis.
-
- For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
- **Warning**
- Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
-
-
-
- - question: |
- Why isn't my computer booting from USB?
- answer: |
- Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
-
- 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
-
- 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
-
- 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port.
-
- If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
-
- - question: |
- What happens if I remove my Windows To Go drive while it's running?
- answer: |
- If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
-
- **Warning**
- You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
-
-
-
- - question: |
- Can I use BitLocker to protect my Windows To Go drive?
- answer: |
- Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace.
-
- - question: |
- Why can't I enable BitLocker from Windows To Go Creator?
- answer: |
- Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types.
-
- When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
-
- 1. **Control use of BitLocker on removable drives**
-
- If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
-
- 2. **Configure use of smart cards on removable data drives**
-
- If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
-
- 3. **Configure use of passwords for removable data drives**
-
- If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker.
-
- Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
-
- - question: |
- What power states does Windows To Go support?
- answer: |
- Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace.
-
- - question: |
- Why is hibernation disabled in Windows To Go?
- answer: |
- When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
-
- - question: |
- Does Windows To Go support crash dump analysis?
- answer: |
- Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
-
- - question: |
- Do "Windows To Go Startup Options" work with dual boot computers?
- answer: |
- Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
-
- If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported.
-
- - question: |
- I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?
- answer: |
- Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
-
- **Warning**
- It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
-
-
-
- - question: |
- I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?
- answer: |
- Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
-
- **Warning**
- It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefore user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-
-
- - question: |
- Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?
- answer: |
- This is done to allow Windows To Go to boot from UEFI and legacy systems.
-
- - question: |
- Is Windows To Go secure if I use it on an untrusted computer?
- answer: |
- While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive.
-
- - question: |
- Does Windows To Go work with ARM processors?
- answer: |
- No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
-
- - question: |
- Can I synchronize data from Windows To Go with my other computer?
- answer: |
- To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need.
-
- - question: |
- What size USB flash drive do I need to make a Windows To Go drive?
- answer: |
- The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size.
-
- - question: |
- Do I need to activate Windows To Go every time I roam?
- answer: |
- No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or through a remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days.
-
- - question: |
- Can I use all Windows features on Windows To Go?
- answer: |
- Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh.
-
- - question: |
- Can I use all my applications on Windows To Go?
- answer: |
- Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
-
- - question: |
- Does Windows To Go work slower than standard Windows?
- answer: |
- If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
-
- - question: |
- If I lose my Windows To Go drive, will my data be safe?
- answer: |
- Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
-
- - question: |
- Can I boot Windows To Go on a Mac?
- answer: |
- We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac.
-
- - question: |
- Are there any APIs that allow applications to identify a Windows To Go workspace?
- answer: |
- Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device.
-
- Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
-
- For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem).
-
- - question: |
- How is Windows To Go licensed?
- answer: |
- Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
-
- - question: |
- Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?
- answer: |
- No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace.
-
- - question: |
- Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
- answer: |
- Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
-
- - question: |
- Why does the operating system on the host computer matter?
- answer: |
- It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
-
- - question: |
- My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
- answer: |
- The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
-
- You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
-
- 1. Sign in to the host computer using an account with administrator privileges.
-
- 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
- 3. Click **Suspend Protection** for the operating system drive.
-
- A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
-
- 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
-
- 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
-
- 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
- 7. Click **Resume Protection** to re-enable BitLocker protection.
-
- The host computer will now be able to be booted from a USB drive without triggering recovery mode.
-
- > [!NOTE]
- > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order.
-
-
-
- - question: |
- I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?
- answer: |
- Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
-
- 1. Open a command prompt with full administrator permissions.
-
- > [!NOTE]
- > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
-
-
-
- 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt.
-
- 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available.
-
- 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
-
- - question: |
- Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
- answer: |
- One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
-
- In certain cases, third-party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
-
- This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers.
-
- - question: |
- How do I upgrade the operating system on my Windows To Go drive?
- answer: |
- There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version.
-
-additionalContent: |
-
- ## Additional resources
-
- - [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
- - [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
- - [Windows To Go: feature overview](windows-to-go-overview.md)
- - [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
- - [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
- - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
deleted file mode 100644
index 4332f5785a..0000000000
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-title: Windows To Go feature overview (Windows 10)
-description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-author: frankroj
-ms.topic: overview
-ms.technology: itpro-deploy
-ms.collection:
- - highpri
- - tier2
-ms.date: 10/28/2022
----
-
-# Windows To Go: feature overview
-
-**Applies to**
-
-- Windows 10
-
-> [!IMPORTANT]
-> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-
-PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go isn't intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some other considerations that you should keep in mind before you start to use Windows To Go:
-
-- [Windows To Go: feature overview](#windows-to-go-feature-overview)
- - [Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows)
- - [Roaming with Windows To Go](#roaming-with-windows-to-go)
- - [Prepare for Windows To Go](#prepare-for-windows-to-go)
- - [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go)
-
-> [!NOTE]
-> Windows To Go isn't supported on Windows RT.
-
-## Differences between Windows To Go and a typical installation of Windows
-
-Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
-
-- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive won't be listed in Windows Explorer.
-- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption, a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
-- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
-- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
-- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled.
-- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces can't be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
-
-## Roaming with Windows To Go
-
-Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer, it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is next booted on that host computer, it will be able to identify the host computer and load the correct set of drivers automatically.
-
-The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware, which will cause difficulties if the workspace is being used with multiple host computers.
-
-## Prepare for Windows To Go
-
-Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
-
-These same tools can be used to provision Windows To Go drive, just as if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
-
-> [!IMPORTANT]
-> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
-
-As you decide what to include in your Windows To Go image, be sure to consider the following questions:
-
-Are there any drivers that you need to inject into the image?
-
-How will data be stored and synchronized to appropriate locations from the USB device?
-
-Are there any applications that are incompatible with Windows To Go roaming that shouldn't be included in the image?
-
-What should be the architecture of the image - 32bit/64bit?
-
-What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network?
-
-For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md).
-
-## Hardware considerations for Windows To Go
-
-**For USB drives**
-
-The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following items:
-
-- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
-- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
-- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details.
-
-As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives:
-
-> [!WARNING]
-> Using a USB drive that has not been certified is not supported.
-
-- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws))
-- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws))
-- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws))
-- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
-
-- Super Talent Express RC4 for Windows To Go
-
- -and-
-
- Super Talent Express RC8 for Windows To Go
-
- ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721))
-
-- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
-
- We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility, see [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
-
-**For host computers**
-
-When assessing the use of a PC as a host for a Windows To Go workspace, you should consider the following criteria:
-
-- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go.
-- Running a Windows To Go workspace from a computer that is running Windows RT isn't a supported scenario.
-- Running a Windows To Go workspace on a Mac computer isn't a supported scenario.
-
-The following table details the characteristics that the host computer must have to be used with Windows To Go:
-
-|Item|Requirement|
-|--- |--- |
-|Boot process|Capable of USB boot|
-|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you're unsure of the ability of your PC to boot from USB)|
-|Processor architecture|Must support the image on the Windows To Go drive|
-|External USB Hubs|Not supported; connect the Windows To Go drive directly to the host machine|
-|Processor|1 GHz or faster|
-|RAM|2 GB or greater|
-|Graphics|DirectX 9 graphics device with WDDM 1.2 or greater driver|
-|USB port|USB 2.0 port or greater|
-
-**Checking for architectural compatibility between the host PC and the Windows To Go drive**
-
-In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below.
-
-|Host PC Firmware Type|Host PC Processor Architecture|Compatible Windows To Go Image Architecture|
-|--- |--- |--- |
-|Legacy BIOS|32-bit|32-bit only|
-|Legacy BIOS|64-bit|32-bit and 64-bit|
-|UEFI BIOS|32-bit|32-bit only|
-|UEFI BIOS|64-bit|64-bit only|
-
-## Other resources
-
-- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
-- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
-- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951)
-
-## Related articles
-
-[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index f49339b0fd..8e5e27c8df 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -2,13 +2,13 @@
title: Windows Pro in S mode
description: Overview of Windows Pro and Enterprise in S mode.
ms.localizationpriority: high
-ms.prod: windows-client
+ms.service: windows-client
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.topic: conceptual
ms.date: 04/26/2023
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows Pro in S mode
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 72d37a8849..c8ea253ee3 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -1,8 +1,8 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index ba7b6d264d..164a2970b3 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,8 +1,8 @@
---
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index f5f57bd6c5..d1b6ebd87e 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -1,8 +1,8 @@
---
title: Create a deployment plan
description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 4373f59f58..ca104fce34 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -2,8 +2,8 @@
title: Deploy drivers and firmware updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index 9279a5e9d4..d4636c3657 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -2,8 +2,8 @@
title: Deploy expedited updates
titleSuffix: Windows Update for Business deployment service
description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index 070ecd8914..99d6c26f7c 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -2,8 +2,8 @@
title: Deploy feature updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index b3fa2680c5..adf8bfe314 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -2,8 +2,8 @@
title: Overview of the deployment service
titleSuffix: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index 74da111142..1f24cbfe24 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -2,8 +2,8 @@
title: Prerequisites for the deployment service
titleSuffix: Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 65a6b7777a..da9f167b83 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -2,8 +2,8 @@
title: Troubleshoot the deployment service
titleSuffix: Windows Update for Business deployment service
description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: troubleshooting
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 9352455d20..d12a78f404 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,8 +1,8 @@
---
title: Evaluate infrastructure and tools
description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 41a21d5d7c..51371de0c7 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,8 +1,8 @@
---
title: Best practices - user-initiated feature update installation
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: best-practice
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 972dd73a69..f7968c1ebc 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,8 +1,8 @@
---
title: FoD and language packs for WSUS and Configuration Manager
description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 5dc206f1aa..46dca308f1 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,8 +1,8 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index ef02459999..70f2c18280 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,8 +1,8 @@
---
title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/includes/update-history.md b/windows/deployment/update/includes/update-history.md
index 9963e0b8b6..cc5fb9bb9f 100644
--- a/windows/deployment/update/includes/update-history.md
+++ b/windows/deployment/update/includes/update-history.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/24/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
index 24da4ab44e..572d549362 100644
--- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
index d8c96ee718..cc46da849e 100644
--- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
+++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
index ed62f731f1..f84dd43e0a 100644
--- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
index 336236ee43..9cfcff85ad 100644
--- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
index 23bbb2b2d9..40f67810ab 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index 8d869d1f69..8250bc9e1d 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
index 682134eb32..d4681b40c2 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md
index 34e70ba899..a57711bffd 100644
--- a/windows/deployment/update/includes/wufb-deployment-limitations.md
+++ b/windows/deployment/update/includes/wufb-deployment-limitations.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
index 4e0d5caaff..cd39b4dd7e 100644
--- a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
+++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index da738e8991..a698c7f33b 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 04/26/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 88fd5d146e..a3bfb9b575 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 12/15/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
index 70c1948c7a..f0f14e2a67 100644
--- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
+++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 08/18/2022
ms.localizationpriority: medium
diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
index 479b5a9eff..7057d0789c 100644
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -2,8 +2,8 @@
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.technology: itpro-updates
-ms.prod: windows-client
+ms.subservice: itpro-updates
+ms.service: windows-client
ms.topic: include
ms.date: 07/11/2023
ms.localizationpriority: medium
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index baae39d605..080e86b6ad 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,8 +1,8 @@
---
title: Update Windows installation media with Dynamic Update
description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 1245ce7f59..7f6fffc7b4 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -1,8 +1,8 @@
---
title: Migrating and acquiring optional Windows content
description: How to keep language resources and Features on Demand during operating system updates for your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index 3116459b20..dcc9544f7e 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,8 +1,8 @@
---
title: Define readiness criteria
description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index 9f3f2e92b7..e2175c7b40 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,8 +1,8 @@
---
title: Define update strategy
description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 735e5a3095..6801a4cca8 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -1,8 +1,8 @@
---
title: Determine application readiness
description: How to test your apps to identify which need attention prior to deploying an update in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index ad9ebeff3a..a9af4519db 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -1,8 +1,8 @@
---
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index bb6949ca8e..2d4e8ecb19 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,8 +1,8 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 86232917dd..104400de70 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,8 +1,8 @@
---
title: Safeguard holds for Windows
description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index 30227f3553..0e0a112ae1 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -1,8 +1,8 @@
---
title: Opt out of safeguard holds
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 7aa9bf3ff1..85af66e440 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,8 +1,8 @@
---
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index b534f09c0c..28b05bb90e 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,8 +1,8 @@
---
title: Windows 10 Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index b7fa2d5094..50b404df35 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -1,8 +1,8 @@
---
title: Policies for update compliance and user experience
description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 7856c98348..11732bc1ca 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -1,8 +1,8 @@
---
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 2a1baa5255..4a74fbe288 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -2,12 +2,12 @@
title: Configure Windows Update for Business
manager: aaroncz
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: conceptual
-ms.technology: itpro-updates
+ms.subservice: itpro-updates
ms.collection:
- tier1
appliesto:
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index d94af9011d..54a680ab36 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,8 +1,8 @@
---
title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index b1aee2ba14..6506f11e90 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,8 +1,8 @@
---
title: Deploy updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 6f20706c2e..59aa615d29 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,8 +1,8 @@
---
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index f027e7d657..fce23e0310 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,8 +1,8 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 18b0aa011f..6fd7172197 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,8 +1,8 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 894cb7361b..78cf2b2e50 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,8 +1,8 @@
---
title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 31038c9fc0..fa5ee150d4 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,8 +1,8 @@
---
title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index b370409adb..84c4092f53 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,8 +1,8 @@
---
title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index c696ffee5d..23e561ea09 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -1,8 +1,8 @@
---
title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 22c937a71a..6b757b2706 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,8 +1,8 @@
---
title: Configure Windows Update for Business via Group Policy
description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
manager: aaroncz
ms.topic: conceptual
author: mestew
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index c37d7cc3d2..b6dbfb03a0 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -1,8 +1,8 @@
---
title: Windows Update error code list by component
description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b75a881dc0..80f4dcb167 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,8 +1,8 @@
---
title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: troubleshooting
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 7965aa2782..c81a8e7319 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -1,8 +1,8 @@
---
title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
index ab1ed81b28..1d7ec557b6 100644
--- a/windows/deployment/update/windows-update-security.md
+++ b/windows/deployment/update/windows-update-security.md
@@ -2,8 +2,8 @@
title: Windows Update security
manager: aaroncz
description: Overview of the security for Windows Update including security for the metadata exchange and content download.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 714ea509f5..d58ab72657 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -2,8 +2,8 @@
title: Enforce compliance deadlines with policies
titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 0e0b313437..9d93702ea9 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -3,8 +3,8 @@ title: Microsoft 365 admin center software updates page
titleSuffix: Windows Update for Business reports
manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index 395856651d..94e36fa723 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -2,8 +2,8 @@
title: Configure devices using Microsoft Intune
titleSuffix: Windows Update for Business reports
description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 7c76c5ad32..545ebbed48 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -2,8 +2,8 @@
title: Manually configure devices to send data
titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md
index 10af47e205..e216694bc7 100644
--- a/windows/deployment/update/wufb-reports-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@@ -2,8 +2,8 @@
title: Configure clients with a script
titleSuffix: Windows Update for Business reports
description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index d71d76d0be..a02d0d0993 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -2,8 +2,8 @@
title: Delivery Optimization data in reports
titleSuffix: Windows Update for Business reports
description: This article provides information about Delivery Optimization data in Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index 27a5b5ad14..1502d549d2 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -2,8 +2,8 @@
title: Enable Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index 10da60be0e..99fee1bb21 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: Frequently Asked Questions (FAQ)
titleSuffix: Windows Update for Business reports
description: Answers to frequently asked questions about Windows Update for Business reports.
- ms.prod: windows-client
- ms.technology: itpro-updates
+ ms.service: windows-client
+ ms.subservice: itpro-updates
ms.topic: faq
manager: aaroncz
author: mestew
diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md
index 49268fb5a7..3580a4810a 100644
--- a/windows/deployment/update/wufb-reports-help.md
+++ b/windows/deployment/update/wufb-reports-help.md
@@ -2,8 +2,8 @@
title: Feedback, support, and troubleshooting
titleSuffix: Windows Update for Business reports
description: Windows Update for Business reports support, feedback, and troubleshooting information.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index a38066595f..080f273243 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -2,8 +2,8 @@
title: Windows Update for Business reports overview
titleSuffix: Windows Update for Business reports
description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index c81cd3c96b..30f7ecac00 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -2,8 +2,8 @@
title: Prerequisites for Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
index af84c4b582..ec7e675fd1 100644
--- a/windows/deployment/update/wufb-reports-schema-enumerated-types.md
+++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
@@ -2,8 +2,8 @@
title: Enumerated types
titleSuffix: Windows Update for Business reports
description: Enumerated types for Windows Update for Business reports.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index b5383c4ad8..b4c113ef71 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -2,8 +2,8 @@
title: UCClient data schema
titleSuffix: Windows Update for Business reports
description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index 59208c8193..e531090eff 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -2,8 +2,8 @@
title: UCClientReadinessStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 058a649dd6..e75f3bed7e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -2,8 +2,8 @@
title: UCClientUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index e5dfa88144..c6f38d89f3 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -2,8 +2,8 @@
title: UCDeviceAlert data schema
titleSuffix: Windows Update for Business reports
description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index 33540428e2..834c5a0b29 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -2,8 +2,8 @@
title: UCDOAggregatedStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index c78b2c076d..f01a18f679 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -2,8 +2,8 @@
title: UCServiceUpdateStatus data schema
titleSuffix: Windows Update for Business reports
description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index 588cbd8cb6..331547385e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -2,8 +2,8 @@
title: UCUpdateAlert data schema
titleSuffix: Windows Update for Business reports
description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index 75cdcb5587..d87b64907c 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -2,8 +2,8 @@
title: Windows Update for Business reports data schema
titleSuffix: Windows Update for Business reports
description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md
index 2b4f1b8b1a..7fb8613fcf 100644
--- a/windows/deployment/update/wufb-reports-use.md
+++ b/windows/deployment/update/wufb-reports-use.md
@@ -2,8 +2,8 @@
title: Use the Windows Update for Business reports data
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index 3961f146d6..a8e2e42be7 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -2,8 +2,8 @@
title: Use the workbook for Windows Update for Business reports
titleSuffix: Windows Update for Business reports
description: How to use the Windows Update for Business reports workbook from the Azure portal.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 295f638ff4..5f5374ac96 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -1,8 +1,8 @@
---
title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 98d17e30e8..5da693649e 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -1,7 +1,7 @@
---
title: Log files and resolving upgrade errors
description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
manager: aaroncz
ms.author: frankroj
@@ -10,7 +10,7 @@ ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/18/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 971b29b367..00ae1403ff 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -2,8 +2,8 @@
title: SetupDiag
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
ms.reviewer: shendrix
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
author: frankroj
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index d970501fec..16cae375b4 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -3,11 +3,11 @@ title: Submit Windows upgrade errors using Feedback Hub
manager: aaroncz
ms.author: frankroj
description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using feedback hub.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/18/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 7686e7d15b..3a3e1ce84b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,7 +1,7 @@
---
title: Windows 10 upgrade paths (Windows 10)
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md
index 44c3c79c40..f09b8e67cc 100644
--- a/windows/deployment/upgrade/windows-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-edition-upgrades.md
@@ -3,14 +3,14 @@ title: Windows edition upgrade
description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index edc0e1a846..6bf70a9220 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -3,11 +3,11 @@ title: Windows error reporting - Windows IT Pro
manager: aaroncz
ms.author: frankroj
description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/18/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 4a534442ee..90b71af916 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -3,10 +3,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10)
description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration.
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 08/09/2023
---
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
index c8ea3f2dda..cf0bfb9763 100644
--- a/windows/deployment/upgrade/windows-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -1,7 +1,7 @@
---
title: Windows upgrade paths
description: Upgrade to current versions of Windows from a previous version of Windows
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 10/02/2023
appliesto:
- ✅ Windows 10
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index 2507bb5313..398bf0db0c 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -4,10 +4,10 @@ description: Plan, collect, and prepare the source computer for migration using
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 939c96ca6e..0c0c0cd136 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -4,11 +4,11 @@ description: Learn how to author a custom migration .xml file that migrates the
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 0465a9e2e2..a78ca35e20 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -4,11 +4,11 @@ description: Learn about the migration store types and how to determine which mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 0b291ae30c..37d0ee09aa 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -4,11 +4,11 @@ description: Offline migration enables the ScanState tool to run inside a differ
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 76447bf7e6..a0a19e6b05 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -4,11 +4,11 @@ description: Learn how to modify the behavior of a basic User State Migration To
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index b0dd174acb..52e3d80761 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -4,11 +4,11 @@ description: This article discusses general and security-related best practices
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 0f81628b29..3fa1d56d53 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -4,11 +4,11 @@ description: Learn how to choose a migration store type and estimate the amount
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 46389ba17b..7910d461e3 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -4,11 +4,11 @@ description: Learn about the User State Migration Tool (USMT) command-line synta
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 3f2d0b63c8..3cd5309aed 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -4,11 +4,11 @@ description: See how the User State Migration Tool (USMT) is used when planning
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 2a5afcc0d3..4e57000ce6 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -4,11 +4,11 @@ description: Learn how the Config.xml file is an optional User State Migration T
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 1cbc5f19e7..3bcd0d7bad 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -4,11 +4,11 @@ description: In this article, learn how User State Migration Tool (USMT) deals w
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 30bc9366d2..18b3331ea4 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -4,10 +4,10 @@ description: Use custom XML examples to learn how to migrate an unsupported appl
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index caf629751e..33c3120090 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -4,11 +4,11 @@ description: Learn how to customize USMT XML files. Also, learn about the migrat
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index 45f064acbe..68e87f678b 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -4,11 +4,11 @@ description: Determine migration settings for standard or customized for the Use
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index fb45d82016..8db55b2eae 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -4,11 +4,11 @@ description: Estimate the disk space requirement for a migration so that the Use
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 3d5057bb4b..221ef98e11 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -4,11 +4,11 @@ description: In this article, learn how to exclude files and settings when creat
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 34a771f93f..c39ac18b5a 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -4,11 +4,11 @@ description: In this article, learn how to extract files from a compressed User
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index f53ff44eee..666888f9d3 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: 'USMT Frequently Asked Questions'
description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT).'
ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
- ms.prod: windows-client
- ms.technology: itpro-deploy
+ ms.service: windows-client
+ ms.subservice: itpro-deploy
author: frankroj
ms.author: frankroj
manager: aaroncz
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index d33d7352e7..f0e8b6df67 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -4,11 +4,11 @@ description: Learn about general XML guidelines and how to use XML helper functi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 0223b25691..fb1b03a426 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -4,11 +4,11 @@ description: Use of a hard-link migration store for a computer-refresh scenario
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index d104178d52..7008393b54 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -4,10 +4,10 @@ description: Learn how USMT works and how it includes two tools that migrate set
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index ec174c6783..5356e4e408 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -4,11 +4,11 @@ description: Reference the articles in this article to learn how to use User Sta
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index 493e1d8149..588764266d 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -4,11 +4,11 @@ description: Identify which applications and settings need to be migrated before
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 54fbd98fbd..db8587a5a5 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -4,11 +4,11 @@ description: Identify the file types, files, folders, and settings that need to
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index 3d88e65fb7..5d8c14a899 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -4,11 +4,11 @@ description: Identify which system settings need to be migrated. The User State
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 012922be11..6f3195fe0a 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -4,11 +4,11 @@ description: Learn how to identify users that need to be migrated, and how to mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.topic: article
ms.localizationpriority: medium
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
ms.date: 01/09/2024
appliesto:
- ✅ Windows 11
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 1da15a3f4c..aa89ea14d0 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -4,11 +4,11 @@ description: Specify the migration .xml files that are needed, then use the User
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 596f89f4fa..520ba1010a 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -4,11 +4,11 @@ description: Learn about the syntax and usage of the command-line options availa
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 1df852f15e..53b4df1789 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -4,11 +4,11 @@ description: Learn how to use User State Migration Tool (USMT) logs to monitor t
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index cf601ee1cf..eeb1b3c15f 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -4,11 +4,11 @@ description: Learn how to migrate Encrypting File System (EFS) certificates. Als
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 2ceb559375..898de489c6 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -4,11 +4,11 @@ description: Learn how to migrate user accounts and how to specify which users t
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index 0a21f770cd..17d6643a94 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -4,11 +4,11 @@ description: Learn how the User State Migration Tool (USMT) enables support for
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 7f7d552536..f0023bfc0b 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,8 +1,8 @@
---
title: User State Migration Tool (USMT) overview
description: Learn about using User State Migration Tool (USMT) to streamline and simplify user state migration during large deployments of Windows operating systems.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
author: frankroj
ms.reviewer: kevinmi,warrenw
manager: aaroncz
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 259b476d8b..806b4afc87 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -4,11 +4,11 @@ description: Learn how to plan the migration carefully so the migration can proc
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index c981506fa9..be9096cf54 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,8 +1,8 @@
---
title: Recognized environment variables
description: Learn how to use environment variables to identify folders that can be different on different computers.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index d9e5035776..e81d243feb 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -4,11 +4,11 @@ description: Use this User State Migration Toolkit (USMT) article to learn detai
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index eb7ed1c382..1ed79eb022 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -4,11 +4,11 @@ description: While the User State Migration Tool (USMT) doesn't have many requir
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/18/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index e1d3c09748..247311e3eb 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -4,11 +4,11 @@ description: Learn how to create a custom .xml file and specify this file name o
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 3eb634db20..18a09528cb 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -4,11 +4,11 @@ description: Learn about User State Migration Tool (USMT) online resources, incl
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 7ac1922e48..5b74859a02 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -4,11 +4,11 @@ description: The ScanState command is used with the User State Migration Tool (U
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 9e79a478fa..6a7de9fd90 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -4,11 +4,11 @@ description: The User State Migration Tool (USMT) provides a highly customizable
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index e8afbe495c..b4a39f6bfd 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -4,11 +4,11 @@ description: Learn about testing the migration plan in a controlled laboratory s
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 57328e3440..8b868f1fec 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -4,11 +4,11 @@ description: Learn about User State Migration Tool (USMT) overview articles that
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 203c1e2f5e..e3c14bf619 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -4,11 +4,11 @@ description: Learn about articles that address common User State Migration Tool
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 1cec514459..2ccde56d88 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -4,11 +4,11 @@ description: Learn about the syntax for the utilities available in User State Mi
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index 85b57065ed..cee6051fd0 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -4,11 +4,11 @@ description: Learn how User State Migration Tool (USMT) is designed so that an I
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/18/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 5f4ace10bf..7e06dffcf9 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -4,11 +4,11 @@ description: Learn about the XML elements and helper functions that can be emplo
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index a6fd75e2bd..4bc9ba48e0 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -4,11 +4,11 @@ description: Learn about working with and customizing the migration XML files us
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index f100667719..2f66da5edc 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -4,11 +4,11 @@ description: Use these tips and tricks to verify the condition of a compressed m
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index f9f5cfeac3..3182faf447 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -4,11 +4,11 @@ description: Learn about the XML file requirements for creating custom .xml file
ms.reviewer: kevinmi,warrenw
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 01/09/2024
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index aefcd10aa4..0e1c0ccf66 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.date: 11/14/2023
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index 956036f01b..4c3cae83e2 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) Activ
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate by Proxy an Active Directory Forest
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index ce77d52b35..82278ce278 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) Active Directory-B
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate an Active Directory Forest Online
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 9304d88783..94a2db6f87 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: how-to
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index b1056c9728..0f74f80116 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -2,8 +2,8 @@
title: Activate using Key Management Service
description: Learn how to use Key Management Service (KMS) to activate Windows.
ms.reviewer: nganguly
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 2dbac0a510..006a02b12c 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -4,12 +4,12 @@ description: After you have configured Key Management Service (KMS) or Active Di
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Activate clients running Windows 10
diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
index 37122356a9..3d293922bf 100644
--- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md
+++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
@@ -4,11 +4,11 @@ description: Enable your enterprise to activate its computers through a connecti
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Active Directory-Based Activation overview
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index a57398003d..a458568f79 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -4,11 +4,11 @@ description: Add client computers into the Volume Activation Management Tool (VA
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and manage products
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 20e49eabe0..4ee747359f 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -4,11 +4,11 @@ description: The Discover products function on the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and remove computers
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index 229cb229b6..89439e87f0 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -4,11 +4,11 @@ description: Add a product key to the Volume Activation Management Tool (VAMT) d
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Add and remove a product key
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index be88aa7204..4d9d39522a 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -5,8 +5,8 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index a2282b3152..5b39a2996e 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -5,10 +5,10 @@ ms.reviewer: nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Configure client computers
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 378f187d4d..888523a907 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -4,8 +4,8 @@ description: Learn how to use the VAMT to import product-activation data from a
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: how-to
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index c2f7b56ef2..ed447a8674 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -4,12 +4,12 @@ description: Learn how to install and configure the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install and configure VAMT
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 1788056d42..0c65b30992 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install a KMS Client Key
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index e98a27e5cd..fec886a0b7 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Install a Product Key
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 455f978c0a..e5e731a271 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -4,12 +4,12 @@ description: Learn how to install Volume Activation Management Tool (VAMT) as pa
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 10/13/2023
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index ecd19f7dcc..ae69a809d3 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -4,8 +4,8 @@ description: VAMT enables administrators to automate and centrally manage the Wi
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md
index 5c00b19da0..97e5bcca16 100644
--- a/windows/deployment/volume-activation/kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/kms-activation-vamt.md
@@ -4,11 +4,11 @@ description: The Volume Activation Management Tool (VAMT) can be used to perform
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform KMS activation
diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md
index 51ac686f69..277342a97d 100644
--- a/windows/deployment/volume-activation/local-reactivation-vamt.md
+++ b/windows/deployment/volume-activation/local-reactivation-vamt.md
@@ -4,11 +4,11 @@ description: An initially activated a computer using scenarios like MAK, retail,
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform local reactivation
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 92fe7a7905..20fa3589f1 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to manage activations and how to activate a client comput
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage Activations
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index 51995c11dc..ccaa432308 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -4,11 +4,11 @@ description: In this article, learn how to add and remove a product key from the
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage Product Keys
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 174118be90..b1556b3af2 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -4,11 +4,11 @@ description: Learn how to save, import, export, and merge a Computer Information
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Manage VAMT Data
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 87357dbe84..e48768162a 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -4,11 +4,11 @@ ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
---
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 8ca7a4f5bd..537f46d71e 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to en
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform online activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 71a14f511f..dee94991fe 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -4,11 +4,11 @@ description: Product activation is the process of validating software with the m
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 11/07/2022
---
diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md
index 756957a315..9e14cf5631 100644
--- a/windows/deployment/volume-activation/proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/proxy-activation-vamt.md
@@ -4,11 +4,11 @@ description: Perform proxy activation by using the Volume Activation Management
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Perform Proxy Activation
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 1da6d8b48a..2b49facf89 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -4,11 +4,11 @@ description: Learn how you must delete products from the product list view so yo
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Remove products
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 414c9569db..0dc03e90e0 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to ac
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 3: KMS client activation
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 8040430270..1f573be911 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -4,11 +4,11 @@ description: Achieve network access by deploying the Volume Activation Managemen
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 1: Online Activation
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 61b958307c..654a67b2b3 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) to activate produc
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Scenario 2: Proxy Activation
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 3a5330083f..713a1587f0 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -4,11 +4,11 @@ description: Learn how to use the Update license status function to add the prod
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Update product status
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index d086a0d8ca..9962ec8943 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -4,12 +4,12 @@ description: The Volume Activation Management Tool (VAMT) provides several usefu
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Use the Volume Activation Management Tool
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 776d1007ab..0add9fe565 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -4,11 +4,11 @@ description: Learn how to use Volume Activation Management Tool (VAMT) PowerShel
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Use VAMT in Windows PowerShell
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 4b52470719..a11eb40946 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -4,11 +4,11 @@ description: Find out the current known issues with the Volume Activation Manage
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT known issues
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index d66ce6f5a0..0080eb1275 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -4,11 +4,11 @@ description: In this article, learn about the product key and system requieremen
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT requirements
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index e085f009c8..d13bf3cb1e 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -4,11 +4,11 @@ description: Learn step-by-step instructions on implementing the Volume Activati
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# VAMT step-by-step scenarios
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 6d157c6365..438e8f8684 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -4,8 +4,8 @@ description: The Volume Activation Management Tool (VAMT) enables network admini
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
author: frankroj
ms.date: 11/07/2022
ms.topic: overview
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index 3c213a2a45..a483753c32 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -4,12 +4,12 @@ description: Learn how to use volume activation to deploy & activate Windows 10.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
author: frankroj
ms.localizationpriority: medium
ms.date: 11/07/2022
ms.topic: article
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
---
# Volume Activation for Windows 10
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 5c34ff5222..13ee0fd808 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -1,14 +1,14 @@
---
title: Windows Deployment Services (WDS) boot.wim support
description: This article provides details on the support capabilities of WDS for end to end operating system deployment.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows Deployment Services (WDS) boot.wim support
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 25168e8c14..aecea5c3dc 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -4,8 +4,8 @@ description: View and download Windows 10 deployment process flows for Microsoft
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
ms.topic: reference
ms.date: 11/23/2022
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index c216cfa830..a45b5e94dc 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -4,11 +4,11 @@ description: Understand the different ways Windows 10 operating system can be de
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10 deployment scenarios
@@ -94,7 +94,7 @@ There are some situations where you can't use in-place upgrade; in these situati
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
-- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 93cf409b93..7cfea55299 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,14 +1,14 @@
---
title: Windows 10/11 Enterprise E3 in CSP
description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10/11 Enterprise E3 in CSP
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index 364c23a213..3ba1d1b034 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,14 +1,14 @@
---
title: How to install fonts missing after upgrading to Windows client
description: Some of the fonts are missing from the system after you upgrade to Windows client.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# How to install fonts that are missing after upgrading to Windows client
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
deleted file mode 100644
index 35e82745ea..0000000000
--- a/windows/deployment/windows-10-poc-mdt.md
+++ /dev/null
@@ -1,668 +0,0 @@
----
-title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: how-to
-ms.technology: itpro-deploy
----
-
-# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-
-*Applies to:*
-
-- Windows 10
-
-> [!IMPORTANT]
-> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
->
-> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
->
-> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
->
-> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
-
-This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
-
-## In this guide
-
-This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-|Topic|Description|Time|
-|--- |--- |--- |
-|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational|
-|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes|
-|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes|
-|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes|
-|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes|
-|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes|
-|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational|
-
-## About MDT
-
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
-
-- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
-
-## Install MDT
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
- Stop-Process -Name Explorer
- ```
-
-1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options.
-
-1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components.
-
-1. If desired, re-enable IE Enhanced Security Configuration:
-
- ```powershell
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Create a deployment share and reference image
-
-A reference image serves as the foundation for Windows 10 devices in your organization.
-
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
-
- ```powershell
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-
-2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
-
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then select **Pin this program to the taskbar**.
-
-5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-6. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: Select **Next** to accept the default
- - Summary: Select **Next**
- - Progress: settings will be applied
- - Confirmation: Select **Finish**
-
-7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-8. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
-
-9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-
-10. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: Select **Next**
- - Progress: wait for files to be copied
- - Confirmation: Select **Finish**
-
- For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
-
-11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence**
- - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- - Specify Product Key: **Do not specify a product key at this time**
- - Full Name: **Contoso**
- - Organization: **Contoso**
- - Internet Explorer home page: `http://www.contoso.com`
- - Admin Password: **Do not specify an Administrator password at this time**
- - Summary: Select **Next**
- - Confirmation: Select **Finish**
-
-12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-13. Select the **Task Sequence** tab. Under **State Restore** select **Tattoo** to highlight it, then select **Add** and choose **New Group**.
-
-14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. Select another location in the window to see the name change.
-
-15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
-
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
-
-17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-
- > [!NOTE]
- > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
-
-18. Select **OK** to complete editing the task sequence.
-
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and select **Properties**, and then select the **Rules** tab.
-
-20. Replace the default rules with the following text:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- UserDataLocation=NONE
- DoCapture=YES
- OSInstall=Y
- AdminPassword=pass@word1
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- JoinWorkgroup=WORKGROUP
- HideShell=YES
- FinishAction=SHUTDOWN
- DoNotCreateExtraPartition=YES
- ApplyGPOPack=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=YES
- SkipBitLocker=YES
- SkipSummary=YES
- SkipRoles=YES
- SkipCapture=NO
- SkipFinalSummary=NO
- ```
-
-21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTBuildLab$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-22. Select **OK** to complete the configuration of the deployment share.
-
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
-
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
-
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
- > [!TIP]
- > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
-
- ```powershell
- New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
- Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
- Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
- Start-VM REFW10X64-001
- vmconnect localhost REFW10X64-001
- ```
-
- The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
-
-28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
-
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
-
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
-
-## Deploy a Windows 10 image using MDT
-
-This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
-
-1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
-
- - **Deployment share path**: C:\MDTProd
- - **Share name**: MDTProd$
- - **Deployment share description**: MDT Production
- - **Options**: accept the default
-
-2. Select **Next**, verify the new deployment share was added successfully, then select **Finish**.
-
-3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then select **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
-
-4. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-
-5. On the **OS Type** page, choose **Custom image file** and then select **Next**.
-
-6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
-
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
-
-8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
-
-9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, select **Next** twice, wait for the import process to complete, and then select **Finish**.
-
-10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then select **OK**. See the following example:
-
- 
-
-### Create the deployment task sequence
-
-1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
-
-2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-
- - Task sequence ID: W10-X64-001
- - Task sequence name: Windows 10 Enterprise x64 Custom Image
- - Task sequence comments: Production Image
- - Select Template: Standard Client Task Sequence
- - Select OS: Windows 10 Enterprise x64 Custom Image
- - Specify Product Key: Don't specify a product key at this time
- - Full Name: Contoso
- - Organization: Contoso
- - Internet Explorer home page: `http://www.contoso.com`
- - Admin Password: pass@word1
-
-### Configure the MDT production deployment share
-
-1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
-
- ```powershell
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
- ```
-
-2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
-
-3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=administrator
- DomainAdminDomain=CONTOSO
- DomainAdminPassword=pass@word1
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- EventService=http://SRV1:9800
- ```
-
- > [!NOTE]
- > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
-
- In this example, a **MachineObjectOU** entry isn't provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab, clients are added to the default computers OU, which requires that this parameter be unspecified.
-
- If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
-
- ```cmd
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- ```
-
- For example, to migrate **all** users on the computer, replace this line with the following line:
-
- ```cmd
- ScanStateArgs=/all
- ```
-
- For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
-
-4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTProd$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-5. Select **OK** when finished.
-
-### Update the deployment share
-
-1. Right-click the **MDT Production** deployment share and then select **Update Deployment Share**.
-
-2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
-
-3. Select **Finish** when the update is complete.
-
-### Enable deployment monitoring
-
-1. In the Deployment Workbench console, right-click **MDT Production** and then select **Properties**.
-
-2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
-
-3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you don't see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
-
-4. Close Internet Explorer.
-
-### Configure Windows Deployment Services
-
-1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```cmd
- WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
- WDSUTIL.exe /Set-Server /AnswerClients:All
- ```
-
-2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
-
-3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then select **Add Boot Image**.
-
-4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, select **Open**, select **Next**, and accept the defaults in the Add Image Wizard. Select **Finish** to complete adding a boot image.
-
-### Deploy the client image
-
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
-
- > [!NOTE]
- > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
-
- Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
-
- ```powershell
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- >Wait until the disable-netadapter command completes before proceeding.
-
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
- ```
-
- Dynamic memory is configured on the VM to conserve resources. However, dynamic memory can cause memory allocation to be reduced below what is required to install an operating system. If memory is reduced below what is required, reset the VM and begin the OS installation task sequence immediately. The reset ensures the VM memory allocation isn't decreased too much while it's idle.
-
-3. Start the new VM and connect to it:
-
- ```powershell
- Start-VM PC2
- vmconnect localhost PC2
- ```
-
-4. When prompted, hit ENTER to start the network boot process.
-
-5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
-
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
-
- ```powershell
- Enable-NetAdapter "Ethernet 2"
- ```
-
-7. On SRV1, in the Deployment Workbench console, select on **Monitoring** and view the status of installation. Right-click **Monitoring** and select **Refresh** if no data is displayed.
-
-8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, select **Finish**. You'll be automatically signed in to the local computer as administrator.
-
- 
-
-This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
-
-## Refresh a computer with Windows 10
-
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
-
-1. If the PC1 VM isn't already running, then start and connect to it:
-
- ```powershell
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Checkpoint-VM -Name PC1 -SnapshotName BeginState
- ```
-
-3. Sign on to PC1 using the CONTOSO\Administrator account.
-
- Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-
-4. Open an elevated command prompt on PC1 and enter the following command:
-
- ```cmd
- cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-
- > [!NOTE]
- > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
-
-5. Choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
-
-6. Choose **Do not back up the existing computer** and select **Next**.
-
- > [!NOTE]
- > The USMT will still back up the computer.
-
-7. Lite Touch Installation will perform the following actions:
- - Back up user settings and data using USMT.
- - Install the Windows 10 Enterprise X64 operating system.
- - Update the operating system via Windows Update.
- - Restore user settings and data using USMT.
-
- You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-
-8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-
-9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Checkpoint-VM -Name PC1 -SnapshotName RefreshState
- ```
-
-10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-11. Sign in to PC1 using the contoso\administrator account.
-
-## Replace a computer with Windows 10
-
-At a high level, the computer replace process consists of:
-
-- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
-
-### Create a backup-only task sequence
-
-1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
-
-2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
-
-3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- New-Item -Path C:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
- icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
- ```
-
-4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
-
-5. Name the new folder **Other**, and complete the wizard using default options.
-
-6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
-
- - **Task sequence ID**: REPLACE-001
- - **Task sequence name**: Backup Only Task Sequence
- - **Task sequence comments**: Run USMT to back up user data and settings
- - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
-
-7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
-
-8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
-
-### Run the backup-only task sequence
-
-1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
-
- ```cmd
- whoami.exe
- ```
-
-2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
-
- ```powershell
- Remove-Item c:\minint -recurse
- Remove-Item c:\_SMSTaskSequence -recurse
- Restart-Computer
- ```
-
-3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
-
- ```cmd
- cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-
-4. Complete the deployment wizard using the following settings:
-
- - **Task Sequence**: Backup Only Task Sequence
- - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- - **Computer Backup**: Don't back up the existing computer.
-
-5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
-
-6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
-
-7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
-
- ```cmd
- dir C:\MigData\PC1\USMT
-
- Directory: C:\MigData\PC1\USMT
-
- Mode LastWriteTime Length Name
- ---- ------------- ------ ----
- -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
- ```
-
-### Deploy PC3
-
-1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
- ```
-
-2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
-
-3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Start-VM PC3
- vmconnect localhost PC3
- ```
-
-4. When prompted, press ENTER for network boot.
-
-5. On PC3, use the following settings for the Windows Deployment Wizard:
- - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
- - **Move Data and Settings**: Don't move user data and settings
- - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
-
-6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
-
- ```powershell
- Enable-NetAdapter "Ethernet 2"
- ```
-
-7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
-
-8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, select **Finish**.
-
-9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
-
-10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
-
-## Troubleshooting logs, events, and utilities
-
-Deployment logs are available on the client computer in the following locations:
-
-- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
-- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
-- After deployment: %WINDIR%\TEMP\DeploymentLogs
-
-You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then select **Enable Log**.
-
-Also see [Resolve Windows upgrade errors](upgrade/resolve-windows-upgrade-errors.md) for detailed troubleshooting information.
-
-## Related articles
-
-[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
-
-[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d3c1320d86..0ea49d8ff8 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,8 +1,8 @@
---
title: Steps to deploy Windows 10 with Configuration Manager
description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager.
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
manager: aaroncz
ms.author: frankroj
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 11b304e822..2ce3939cc7 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -4,8 +4,8 @@ description: Learn about concepts and procedures for deploying Windows 10 in a p
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.service: windows-client
+ms.subservice: itpro-deploy
ms.localizationpriority: medium
ms.topic: tutorial
ms.date: 11/23/2022
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index d2bf8bb55d..82bb386aa3 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -5,10 +5,10 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.localizationpriority: medium
-ms.prod: windows-client
+ms.service: windows-client
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Switch to Windows 10 Pro or Enterprise from S mode
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index b5fc8eb923..53e3545bcc 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,8 +1,8 @@
---
title: Windows subscription activation
description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index f38cf33ebe..62fb152578 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -4,11 +4,11 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
author: frankroj
ms.author: frankroj
manager: aaroncz
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
ms.topic: article
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows ADK for Windows 10 scenarios for IT Pros
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 3e70bd954a..ad9a0f5cd6 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -2,8 +2,8 @@
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index f9ce34d2ae..8b6b068ad3 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -2,8 +2,8 @@
title: Device registration overview
description: This article provides an overview on how to register devices in Autopatch
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index ed02a37c7c..a6c9f21e50 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -2,8 +2,8 @@
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
ms.date: 12/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
index b482faa489..e2bea8f124 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -2,8 +2,8 @@
title: Windows Autopatch groups overview
description: This article explains what Autopatch groups are
ms.date: 07/20/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index e41d8e60f4..3b645bbe9a 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -2,8 +2,8 @@
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
ms.date: 09/16/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 4cb39e3d34..eb42feb07c 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -2,8 +2,8 @@
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index c79efcf511..85e775ab5f 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -12,11 +12,12 @@ metadata:
ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
manager: dougeby
ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
- ms.prod: windows-client
- ms.technology: itpro-updates
+ ms.service: windows-client
+ ms.subservice: itpro-updates
ms.collection:
- highpri
- tier2
+ - essentials-navigation
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index 563e6370c5..580ce1d51e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -2,8 +2,8 @@
title: Device alerts
description: Provide notifications and information about the necessary steps to keep your devices up to date.
ms.date: 08/01/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index 5aadb310ef..7b7842753d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -2,8 +2,8 @@
title: Microsoft Edge
description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
index 843b7e8d3c..2d999981a9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -2,8 +2,8 @@
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
index 0a4f67979c..da98fc8493 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
@@ -2,8 +2,8 @@
title: Manage Windows feature update releases
description: This article explains how you can manage Windows feature updates with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
index 66164cc373..d8a1374a2e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@@ -2,8 +2,8 @@
title: Software update management for Autopatch groups
description: This article provides an overview of how updates are handled with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: overview
ms.localizationpriority: medium
author: tiaraquan
@@ -13,6 +13,7 @@ ms.reviewer: andredm7
ms.collection:
- highpri
- tier1
+ - essentials-manage
---
# Software update management
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
index 8ffc66a28a..576ea5c4fd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -2,8 +2,8 @@
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
index 8fe50bb86f..2eca3870a8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -2,8 +2,8 @@
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
index 6f8527fdc9..b17907bbd8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -2,8 +2,8 @@
title: Windows feature update summary dashboard
description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 10/11/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
index fba33aa57e..48b01d086c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
@@ -2,8 +2,8 @@
title: Feature update trending report
description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
index 880f821953..1b621ea6a9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@@ -2,8 +2,8 @@
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
index 07094d7204..a7d1e463bf 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
@@ -2,8 +2,8 @@
title: Windows quality update communications for Autopatch groups
description: This article explains Windows quality update communications for Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
index 3459608d52..5a8a4e050e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
@@ -2,8 +2,8 @@
title: Windows quality update end user experience for Autopatch groups
description: This article explains the Windows quality update end user experience using the Autopatch groups exp
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 6692fad8cb..4a50210c21 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -2,8 +2,8 @@
title: Windows quality updates overview with Autopatch groups experience
description: This article explains how Windows quality updates are managed with Autopatch groups
ms.date: 01/22/2024
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
index aa8e2f4e82..167b47ea89 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
@@ -2,8 +2,8 @@
title: Windows quality update release signals with Autopatch groups
description: This article explains the Windows quality update release signals with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
index af916925f0..1e0d0df041 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -2,8 +2,8 @@
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
index e744f0c407..7fcb83c86f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -2,8 +2,8 @@
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
ms.date: 10/04/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index 71b96ec441..335e48b515 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -2,8 +2,8 @@
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
ms.date: 09/01/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
index 9f63be7938..eb838e0137 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
@@ -2,8 +2,8 @@
title: Customize Windows Update settings Autopatch groups experience
description: How to customize Windows Updates with Autopatch groups
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index fe9d6b3321..9dc0a3c904 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -2,8 +2,8 @@
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
@@ -13,6 +13,7 @@ ms.reviewer: smithcharles
ms.collection:
- highpri
- tier1
+ - essentials-manage
---
# Maintain the Windows Autopatch environment
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
index 041df4c91f..ce07a487cf 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -2,8 +2,8 @@
title: Manage driver and firmware updates
description: This article explains how you can manage driver and firmware updates with Windows Autopatch
ms.date: 08/22/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 3120c809f3..fe3318ac6a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -2,8 +2,8 @@
title: Microsoft 365 Apps for enterprise
description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
ms.date: 10/27/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
index d998b1df2c..884e726610 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
@@ -2,8 +2,8 @@
title: policy health and remediation
description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
ms.date: 07/25/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
@@ -13,6 +13,7 @@ ms.reviewer: rekhanr
ms.collection:
- highpri
- tier1
+ - essentials-manage
---
# Policy health and remediation
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 20c341551a..788caa8a4c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -2,8 +2,8 @@
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
ms.date: 09/06/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
index 21a44e576c..add843c19b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -2,8 +2,8 @@
title: Microsoft Teams
description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index 2c89d2a8ce..2809bda9c5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -2,8 +2,8 @@
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 08/08/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
index 7fc5bce674..a54e3315bc 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
@@ -2,8 +2,8 @@
title: Windows Autopatch deployment guide
description: This guide explains how to successfully deploy Windows Autopatch in your environment
ms.date: 08/24/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
@@ -12,6 +12,7 @@ manager: dougeby
ms.reviewer: hathind
ms.collection:
- tier2
+ - essentials-get-started
---
# Windows Autopatch deployment guide
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 3f0e20c935..c3b5f2432d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -2,7 +2,7 @@
metadata:
title: Windows Autopatch - Frequently Asked Questions (FAQ)
description: Answers to frequently asked questions about Windows Autopatch.
- ms.prod: windows-client
+ ms.service: windows-client
ms.topic: faq
ms.date: 12/04/2023
audience: itpro
@@ -11,7 +11,7 @@ metadata:
author: tiaraquan
ms.author: tiaraquan
ms.reviwer: hathind
- ms.technology: itpro-updates
+ ms.subservice: itpro-updates
title: Frequently Asked Questions about Windows Autopatch
summary: This article answers frequently asked questions about Windows Autopatch.
sections:
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 62ac288ad4..b20e87d864 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -2,8 +2,8 @@
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 08/08/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
@@ -12,6 +12,7 @@ manager: dougeby
ms.collection:
- highpri
- tier1
+ - essentials-overview
ms.reviewer: hathind
---
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 0e481d7a66..17f1503d40 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -2,8 +2,8 @@
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 09/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
@@ -13,6 +13,7 @@ ms.reviewer: hathind
ms.collection:
- highpri
- tier1
+ - essentials-privacy
---
# Privacy
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 5ac998067b..a58a816e1d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -2,8 +2,8 @@
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 08/31/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index c7695ea433..a682ec9b87 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -2,8 +2,8 @@
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 95f0ed85fc..8665175196 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -2,8 +2,8 @@
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 09/15/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index bc26753af7..5250f979ca 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -2,8 +2,8 @@
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
ms.date: 09/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index f7a2045294..b7e91d3f26 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -2,8 +2,8 @@
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
ms.date: 09/12/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 94b4b293fd..f6579437b7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -2,8 +2,8 @@
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 01/11/2024
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index be2b2ce1b9..c428363ee4 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -2,8 +2,8 @@
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 12/13/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
index 865f6c15c9..1d2b8bcc4c 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
@@ -2,8 +2,8 @@
title: Conflicting configurations
description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
ms.date: 09/05/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
index 21d90312fd..7f6dae1761 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
@@ -2,8 +2,8 @@
title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
description: This article explains how driver and firmware updates are managed in Autopatch
ms.date: 06/26/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index 2534e971d5..df14a0c2d1 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -2,8 +2,8 @@
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 06/23/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index e72d9e8042..dc612871a2 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -2,8 +2,8 @@
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 09/02/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
index dc5d2ccde2..e3dbdc77e2 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
@@ -2,8 +2,8 @@
title: What's new 2022
description: This article lists the 2022 feature releases and any corresponding Message center post numbers.
ms.date: 12/09/2022
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index c47bb6418b..9ef78db499 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -2,8 +2,8 @@
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 12/14/2023
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index d145102556..718ac4437b 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -2,8 +2,8 @@
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
ms.date: 01/22/2024
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.service: windows-client
+ms.subservice: itpro-updates
ms.topic: whats-new
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index b6ac225f0e..89a7b65ab6 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -4,10 +4,10 @@ description: Learn about the tools you can use to deploy Windows 10 and related
manager: aaroncz
ms.author: frankroj
author: frankroj
-ms.prod: windows-client
+ms.service: windows-client
ms.topic: article
ms.date: 11/23/2022
-ms.technology: itpro-deploy
+ms.subservice: itpro-deploy
---
# Windows 10 deployment scenarios and tools
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index e651c1901d..51c7c76e38 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -11,6 +11,7 @@ metadata:
ms.prod: windows-client
ms.collection:
- tier1
+ - essentials-navigation
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 5187258157..3aa78b5848 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -1,8 +1,8 @@
---
title: Diagnostic Data Viewer for PowerShell Overview (Windows 10)
description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index c574ccb678..55ed54b6bd 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index f4ff30a23c..9e654c4f7c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index f5bdec7600..9a5fa7bcfb 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level.
title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 56be393273..c047c5d610 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level.
title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 875429c841..749915474a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level.
title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 0eb6b38dc9..4815879665 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -1,8 +1,8 @@
---
title: Changes to Windows diagnostic data collection
description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index c47bf6303c..638225c604 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,8 +1,8 @@
---
description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization.
title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
index caf816b1d7..69ce081127 100644
--- a/windows/privacy/copilot-supplemental-terms.md
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -1,8 +1,8 @@
---
title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
description: The Supplemental Terms for Copilot in Windows (Preview)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index df75c73dc5..040d37454e 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -1,8 +1,8 @@
---
title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11)
description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index b8bd28080f..c31afd7cdc 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,8 +1,8 @@
---
title: Enhanced diagnostic data required by Windows Analytics (Windows 10)
description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index a16d53210c..f397b8c180 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -1,8 +1,8 @@
---
title: Essential services and connected experiences for Windows
description: Explains what the essential services and connected experiences are for Windows
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index a6892742ba..149f150ae7 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -9,7 +9,9 @@ metadata:
description: Learn about how privacy is managed in Windows.
ms.prod: windows-client
ms.topic: hub-page # Required
- ms.collection: highpri
+ ms.collection:
+ - highpri
+ - essentials-privacy
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index cf953e1759..45d6b7c45e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -1,8 +1,8 @@
---
title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c487f33918..e5ca2312fd 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,8 +1,8 @@
---
title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 79bba0d70f..fa51d0f255 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -1,8 +1,8 @@
---
title: Connection endpoints for Windows 11 Enterprise
description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index f6b643c76d..319a0c8305 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -1,8 +1,8 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 2004
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index f79b3dd872..91da38dfa3 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -2,8 +2,8 @@
description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
keywords: privacy, telemetry
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 9b5cb9c9db..9716a4c5ce 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -1,8 +1,8 @@
---
description: Learn more about the Windows 11 diagnostic data gathered at the basic level.
title: Required diagnostic events and fields for Windows 11, version 21H2
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index dd99685ad0..b552e20cf5 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,8 +1,8 @@
---
description: Learn more about the required Windows 10 diagnostic data gathered.
title: Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004)
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index cc4c373f09..ab86dc703a 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -1,14 +1,15 @@
---
title: Windows Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 05/20/2019
ms.topic: conceptual
+ms.collection: essentials-compliance
---
# Windows Privacy Compliance:
A Guide for IT and Compliance Professionals
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 483e61d221..f27e7c4961 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 11 connection endpoints for non-Enterprise editions
description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index 7ae4b7f694..6716304894 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -1,8 +1,8 @@
---
title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
description: Use this article to learn about the types of data that is collected the Full diagnostic data level.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 8f05003e77..44ea57dcd1 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10)
description: Use this article to learn about the types of optional diagnostic data that is collected.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index 74b6ce5ab7..b4736b74ce 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index 2a78739318..c8f28f8ea4 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -1,8 +1,8 @@
---
title: Windows 10, version 2004, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004.
-ms.prod: windows-client
-ms.technology: itpro-privacy
+ms.service: windows-client
+ms.subservice: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 284e549300..e9d01861ab 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -35,7 +35,7 @@ To configure UAC, you can use:
The following instructions provide details how to configure your devices. Select the option that best suits your needs.
-#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Configure UAC with a Settings catalog policy
@@ -61,7 +61,7 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local
| **Setting name**: Switch to the secure desktop when prompting for elevation
**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| **Setting name**: Virtualize file and registry write failures to per-user locations
**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
-#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy.
@@ -80,7 +80,7 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
-#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
index ef477ce467..a095fd7246 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md
@@ -3,7 +3,7 @@ title: Administer AppLocker
description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Administer AppLocker
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index ffd2a32a70..654b172dca 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -6,7 +6,7 @@ ms.collection:
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# AppLocker
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index e237fc6361..e974fdf194 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -3,7 +3,7 @@ title: Deploy AppLocker policies by using the enforce rules setting
description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Deploy AppLocker policies by using the enforce rules setting
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index ed64315838..fe3ac2062b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -3,7 +3,7 @@ title: Edit an AppLocker policy
description: This article for IT professionals describes the steps required to modify an AppLocker policy.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Edit an AppLocker policy
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 933deb03c0..75f6df943a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -3,7 +3,7 @@ title: Maintain AppLocker policies
description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Maintain AppLocker policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
index 6523b1bccc..63277272b1 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -3,7 +3,7 @@ title: Optimize AppLocker performance
description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Optimize AppLocker performance
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 33b57f4bc0..e47477a31a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -3,7 +3,7 @@ title: Test and update an AppLocker policy
description: This article discusses the steps required to test an AppLocker policy prior to deployment.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Test and update an AppLocker policy
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index ffefd947e7..0678fb60b9 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -3,7 +3,7 @@ title: Use the AppLocker Windows PowerShell cmdlets
description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 12/19/2023
+ms.date: 01/03/2024
---
# Use the AppLocker Windows PowerShell cmdlets
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
index 90bdaa9748..21442ea394 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md
@@ -4,6 +4,7 @@ description: Learn how to plan and implement a WDAC deployment.
ms.localizationpriority: medium
ms.date: 01/23/2023
ms.topic: overview
+ms.collection: essentials-get-started
---
# Deploying Windows Defender Application Control (WDAC) policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md
index 9b0edc0e23..889b1c2d8d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md
@@ -4,6 +4,7 @@ description: Gather information about how your deployed Windows Defender Applica
ms.localizationpriority: medium
ms.date: 03/30/2023
ms.topic: article
+ms.collection: essentials-manage
---
# Windows Defender Application Control operational guide
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
index b6495d2d01..5e998b8788 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -2,7 +2,7 @@
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
-ms.date: 12/19/2023
+ms.date: 01/03/2024
ms.topic: article
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 500f4c397b..e178b6f5e1 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -5,6 +5,8 @@ ms.localizationpriority: medium
ms.collection:
- tier3
- must-keep
+- essentials-navigation
+- essentials-overview
ms.date: 08/30/2023
ms.topic: article
---
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index e6e9d95ed6..9f8373b96b 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -37,7 +37,7 @@ To enable Credential Guard, you can use:
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Configure Credential Guard with Intune
@@ -64,7 +64,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
Once the policy is applied, restart the device.
-#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
### Configure Credential Guard with group policy
@@ -81,7 +81,7 @@ Once the policy is applied, restart the device.
Once the policy is applied, restart the device.
-#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
### Configure Credential Guard with registry settings
@@ -232,7 +232,7 @@ There are different options to disable Credential Guard. The option you choose d
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Disable Credential Guard with Intune
@@ -254,7 +254,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
Once the policy is applied, restart the device.
-#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
### Disable Credential Guard with group policy
@@ -270,7 +270,7 @@ If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling
Once the policy is applied, restart the device.
-#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
### Disable Credential Guard with registry settings
@@ -336,7 +336,7 @@ Use one of the following options to disable VBS:
[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
-#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Disable VBS with Intune
@@ -358,7 +358,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
Once the policy is applied, restart the device.
-#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
### Disable VBS with group policy
@@ -374,7 +374,7 @@ Configure the policy used to enable VBS to **Disabled**.
Once the policy is applied, restart the device
-#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
### Disable VBS with registry settings
diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
new file mode 100644
index 0000000000..7c498d0bb4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -0,0 +1,137 @@
+---
+title: Configure Windows Hello for Business
+description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
+ms.topic: how-to
+ms.date: 01/03/2024
+---
+
+# Configure Windows Hello for Business
+
+This article describes the options to configure Windows Hello for Business in an organization, and how to implement them.
+
+## Configuration options
+
+You can configure Windows Hello for Business by using the following options:
+
+- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unamanged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2]
+- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution
+
+## Policy precedence
+
+Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business:
+
+- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used
+- Windows Hello for Business policy settings are enforced using the following hierarchy:
+ - User GPO
+ - Computer GPO
+ - User MDM
+ - Device MDM
+ - Device Lock policy
+
+>[!IMPORTANT]
+>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+
+>[!NOTE]
+> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
+
+### Retrieve the Microsoft Entra tenant ID
+
+The configuration via CSP or registry of different Windows Hello for Business policy settings require to specify the Microsoft Entra tenant ID where the device is registered.
+
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENTRA-2] or try the following, ensuring to sign in with your organization's account:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/organization?$select=id
+```
+
+For example, the [PassportForWork CSP documentation][CSP-1] describes how to configure Windows Hello for Business options using the OMA-URI:
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}
+```
+
+When configuring devices, replace `TenantID` with your Microsoft Entra tenant ID. For example, if your Microsoft Entra tenant ID is `dcd219dd-bc68-4b9b-bf0b-4a33a796be35`, the OMA-URI would be:
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{dcd219dd-bc68-4b9b-bf0b-4a33a796be35}
+```
+
+## Configure Windows Hello for Business using Microsoft Intune
+
+For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+
+There are different ways to enable and configure Windows Hello for Business in Intune:
+
+- Using a policy applied at the tenant level. The tenant policy:
+ - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
+ - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
+- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
+ - [Settings catalog][MEM-1]
+ - [Security baselines][MEM-2]
+ - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
+ - [Account protection policy][MEM-5]
+ - [Identity protection policy template][MEM-6]
+
+### Verify the tenant-wide policy
+
+To check the Windows Hello for Business policy settings applied at enrollment time:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** > **Windows** > **Windows Enrollment**
+1. Select **Windows Hello for Business**
+1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
+
+:::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png":::
+
+## Policy conflicts from multiple policy sources
+
+Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
+
+> [!IMPORTANT]
+> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
+
+> [!NOTE]
+> For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
+
+## Disable Windows Hello for Business enrollment
+
+Windows Hello for Business is enabled by default for devices that are Microsoft Entra joined. If you need to disable the automatic enablement, there are different options, including:
+
+- Disable Windows Hello using the [tenant-wide policy](#verify-the-tenant-wide-policy)
+- Disable it using one of the policy types available in Intune, while enabling the Enrollment Status Page (ESP). The ESP can be configured to prevent a user from accessing the desktop until the device receives all the required policies. For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). The policy setting to configure is [Use Windows Hello for Business](policy-settings.md#use-windows-hello-for-business)
+- Provision the devices using a provisioning package that disables Windows Hello for Business. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages)
+- Scripted solutions that can modify the registry settings to disable Windows Hello for Business during OS deployment
+
+Configuration type| Details |
+|--|-|
+| CSP (user)|**Key path**: `HHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| CSP (device)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| GPO (user)|**Key path**: `HKEY_USERS\
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| GPO (user)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+
+> [!NOTE]
+> If there's a conflicting device policy and user policy, the user policy takes precedence. It's not recommended to create Local GPO or registry settings that could conflict with an MDM policy. This conflict could lead to unexpected results.
+
+## Next steps
+
+For a list of Windows Hello for Business policy settings, see [Windows Hello for Business policy settings](policy-settings.md).
+
+To learn more about Windows Hello for Business features and how to configure them, see:
+
+- [PIN reset](pin-reset.md)
+- [Dual enrollment](hello-feature-dual-enrollment.md)
+- [Dynamic Lock](hello-feature-dynamic-lock.md)
+- [Multi-factor Unlock](multifactor-unlock.md)
+- [Remote desktop (RDP) sign-in](rdp-sign-in.md)
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp#devicetenantid
+[CSP-2]: /windows/client-management/mdm/passportforwork-csp
+[ENTRA-2]: /entra/fundamentals/how-to-find-tenant
+[MEM-1]: /mem/intune/configuration/settings-catalog
+[MEM-2]: /mem/intune/protect/security-baselines
+[MEM-3]: /mem/intune/configuration/custom-settings-configure
+[MEM-4]: /windows/client-management/mdm/passportforwork-csp
+[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
+[MEM-6]: /mem/intune/protect/identity-protection-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
new file mode 100644
index 0000000000..475b2dc597
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -0,0 +1,117 @@
+---
+title: Windows Hello for Business cloud-only deployment guide
+description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
+ms.date: 01/03/2024
+ms.topic: how-to
+---
+
+# Cloud-only deployment guide
+
+[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
+
+[!INCLUDE [requirements](includes/requirements.md)]
+
+> [!div class="checklist"]
+>
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
+
+## Deployment steps
+
+> [!div class="checklist"]
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
+
+## Configure Windows Hello for Business policy settings
+
+When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no extra configuration needed.
+
+Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+
+Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are
+typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1].
+
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+
+If the Intune tenant-wide policy is configured to *disable Windows Hello for Business*, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business:
+
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
+
+Another optional, but recommended, policy setting is:
+
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
+
+Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)).
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+---
+
+> [!TIP]
+> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1].
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed.
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Microsoft Entra ID](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-microsoft-entra-id)
+
+## Disable automatic enrollment
+
+If you want to disable the automatic Windows Hello for Business enrollment, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment).
+
+> [!NOTE]
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business.
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
+[WIN-1]: /windows/client-management/mdm/passportforwork-csp
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md
deleted file mode 100644
index ca409fc0b7..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Windows Hello for Business cloud-only deployment
-description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 10/03/2023
-ms.topic: how-to
----
-# Cloud-only deployment
-
-[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)]
-
-## Introduction
-
-When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
-
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
-
-> [!NOTE]
-> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
-
-## Prerequisites
-
-Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
-
-The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment).
-
-It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
-
-```powershell
-Connect-MgGraph
-$DomainId = "
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**|
+| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
or
**User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
- Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
- Select **Update certificates that use certificate templates**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
> [!NOTE]
-> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
->
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
-### Configure security for GPO
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
-The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Open the **Enable Windows Hello for Business** GPO
-1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
-1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
-
-### Deploy the Windows Hello for Business Group Policy object
-
-The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
-
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
-1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
-
-### Add members to the targeted group
-
-Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
-
-# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-## Configure Windows Hello for Business using Microsoft Intune
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
> [!IMPORTANT]
> The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
@@ -106,99 +64,77 @@ Users (or devices) must receive the Windows Hello for Business group policy sett
> - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
> - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md)
-For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
-There are different ways to enable and configure Windows Hello for Business in Intune:
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
-- Using a policy applied at the tenant level. The tenant policy:
- - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Choose from the following policy types:
- - [Settings catalog][MEM-1]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
-### Verify the tenant-wide policy
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
+| **Windows Hello for Business** | Require Security Device | true |
-To check the Windows Hello for Business policy applied at enrollment time:
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Screenshot that shows disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable and configure Windows Hello for Business
-
-To configure Windows Hello for Business using an *account protection* policy:
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Endpoint security** > **Account protection**
-1. Select **+ Create Policy**
-1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
-1. Select **Create**
-1. Specify a **Name** and, optionally, a **Description** > **Next**
-1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Under *Enable to certificate for on-premises resources*, select **YES**
-1. Select **Next**
-1. Optionally, add *scope tags* > **Next**
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-1. Review the policy configuration and select **Create**
-
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Screenshot that shows enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication).
---
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
-### PIN Setup
+### User experience
-This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
+[!INCLUDE [user-experience](includes/user-experience.md)]
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Screenshot that shows animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
-
-> [!IMPORTANT]
-> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
->
-> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
->
-> [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
-
-After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
+After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
> [!NOTE]
-> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint.
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint.
-The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
+The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
+
+> [!NOTE]
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users don't need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a hybrid certificate trust deployment model with federated authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-certificate-trust-deployment-model-with-federated-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Active Directory using a certificate](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-certificate)
+- [Microsoft Entra hybrid join authentication using a certificate](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-certificate)
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/protect/security-baselines
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
-[MEM-4]: /windows/client-management/mdm/passportforwork-csp
-[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
index 7ff5c70e48..85dd13860f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
@@ -1,20 +1,15 @@
---
title: Configure and validate the PKI in an hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+ms.date: 01/03/2024
ms.topic: tutorial
---
+
# Configure and validate the PKI in a hybrid certificate trust model
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
@@ -22,22 +17,15 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
## Configure the enterprise PKI
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
-> [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
-
-> [!IMPORTANT]
-> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
->
-> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
+[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
-[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
+[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
index a9d49ebfec..3fcb86b928 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
@@ -1,74 +1,51 @@
---
-title: Windows Hello for Business hybrid certificate trust deployment
+title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Hybrid certificate trust deployment
+# Hybrid certificate trust deployment guide
[!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)]
-Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
-
-This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
-
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
-It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
-
-## Prerequisites
+[!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
-> The following prerequisites must be met for a hybrid certificate trust deployment:
>
-> - Directories and directory synchronization
-> - Federated authentication to Microsoft Entra ID
-> - Device registration
-> - Public Key Infrastructure
-> - Multifactor authentication
-> - Device management
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-### Directories and directory synchronization
+## Deployment steps
-Hybrid Windows Hello for Business needs two directories:
+> [!div class="checklist"]
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md)
+> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md)
+> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
-- An on-premises Active Directory
-- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
+## Federated authentication to Microsoft Entra ID
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
-The hybrid-certificate trust deployment needs a *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
-
-> [!NOTE]
-> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
-
-### Federated authentication to Microsoft Entra ID
-
-Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
-Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
If you're new to AD FS and federation services:
- Review [key AD FS concepts][SER-3] prior to deploying the AD FS farm
- Review the [AD FS design guide][SER-4] to design and plan your federation service
-Once you have your AD FS design ready:
-
-- Review [deploying a federation server farm][SER-2] to configure AD FS in your environment
+Once you have your AD FS design ready, review [deploying a federation server farm][SER-2] to configure AD FS in your environment
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
-### Device registration and device write-back
+## Device registration and device write-back
Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
For Microsoft Entra hybrid joined devices, review the guidance on the [plan your Microsoft Entra hybrid join implementation][AZ-8] page.
@@ -79,9 +56,9 @@ For a **manual configuration** of your AD FS farm to support device registration
Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
> [!NOTE]
-> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the `msDS-KeyCredentialLink` attribute on the computer object.
-If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
+If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure to configure **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
### Public Key Infrastructure
@@ -90,21 +67,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
-### Multifactor authentication
-
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-
-### Device management
-
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-
## Next steps
> [!div class="checklist"]
@@ -120,14 +82,10 @@ To configure Windows Hello for Business, devices can be configured through a mob
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
-[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
-[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
deleted file mode 100644
index da843f036d..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md
+++ /dev/null
@@ -1,218 +0,0 @@
----
-title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment
-description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 02/24/2023
-appliesto:
-- ✅ Windows 10, version 21H2 and later
-ms.topic: tutorial
----
-# Configure and provision Windows Hello for Business - cloud Kerberos trust
-
-[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)]
-
-## Deployment steps
-
-Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
-
-1. Set up Microsoft Entra Kerberos.
-1. Configure a Windows Hello for Business policy and deploy it to the devices.
-
-
-
-### Deploy Microsoft Entra Kerberos
-
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section.
-
-If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID][AZ-2] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
-
-### Configure Windows Hello for Business policy
-
-After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business.
-
-There are different ways to enable and configure Windows Hello for Business in Intune:
-
-- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group.
-- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- - [Settings catalog][MEM-7]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
-
-### Verify the tenant-wide policy
-
-To check the Windows Hello for Business policy applied at enrollment time:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Devices** > **Windows** > **Windows Enrollment**.
-1. Select **Windows Hello for Business**.
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured.
-
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png":::
-
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable Windows Hello for Business
-
-To configure Windows Hello for Business using an account protection policy:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Endpoint security** > **Account protection**.
-1. Select **+ Create Policy**.
-1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**.
-1. Select **Create**.
-1. Specify a **Name** and, optionally, a **Description** > **Next**.
-1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
-1. Under **Enable to certificate for on-premises resources**, select **Not configured**
-1. Select **Next**.
-1. Optionally, add **scope tags** and select **Next**.
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
-1. Review the policy configuration and select **Create**.
-
-> [!TIP]
-> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template.
-
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
-
-### Configure the cloud Kerberos trust policy
-
-The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business.
-
-To configure the cloud Kerberos trust policy:
-
-1. Sign in to the Microsoft Intune admin center.
-1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
-1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust".
-1. In Configuration Settings, add a new configuration with the following settings:
-
- - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
+
+> [!NOTE]
+> Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy setting is only available as a computer configuration.
+>
+>You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
+>
+>You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+---
+
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources).
+
+More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after a user signs in, if the prerequisite checks pass. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy.
+
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user receives a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't enforced by policy or if the device is Microsoft Entra joined.
+
+> [!NOTE]
+> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user signs in or unlocks with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+
+After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
+
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a cloud Kerberos trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-cloud-kerberos-trust-deployment-model-with-managed-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra join authentication to Active Directory using cloud Kerberos trust](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-cloud-kerberos-trust)
+
+## Migrate from key trust deployment model to cloud Kerberos trust
+
+If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
+
+1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos)
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
+1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
+
+> [!NOTE]
+> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+
+## Migrate from certificate trust deployment model to cloud Kerberos trust
+
+> [!IMPORTANT]
+> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
+
+If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
+
+1. Disable the certificate trust policy
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
+1. Sign out and sign back in
+1. Provision Windows Hello for Business using a method of your choice
+
+> [!NOTE]
+> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+
+## Frequently Asked Questions
+
+For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust).
+
+## Unsupported scenarios
+
+The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
+
+- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
+- Using cloud Kerberos trust for *Run as*
+- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity
-[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
-
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
-
-[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
-[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
+[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index 10b8e56a94..a1686099b6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -1,165 +1,114 @@
---
-title: Windows Hello for Business hybrid key trust clients configuration and enrollment
+title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 01/03/2023
+ms.date: 12/29/2023
ms.topic: tutorial
---
-# Configure and enroll in Windows Hello for Business - hybrid key trust
+# Configure and enroll in Windows Hello for Business in a hybrid key trust model
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-
-#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune)
-
-## Configure Windows Hello for Business using Microsoft Intune
-
-For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
-
-There are different ways to enable and configure Windows Hello for Business in Intune:
-
-- Using a policy applied at the tenant level. The tenant policy:
- - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
- - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
-- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
- - [Settings catalog][MEM-1]
- - [Security baselines][MEM-2]
- - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
- - [Account protection policy][MEM-5]
- - [Identity protection policy template][MEM-6]
-
-### Verify the tenant-wide policy
-
-To check the Windows Hello for Business policy applied at enrollment time:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
-
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
-
-If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
-
-### Enable and configure Windows Hello for Business
-
-To configure Windows Hello for Business using an *account protection* policy:
-
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Endpoint security** > **Account protection**
-1. Select **+ Create Policy**
-1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
-1. Select **Create**
-1. Specify a **Name** and, optionally, a **Description** > **Next**
-1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Select **Next**
-1. Optionally, add *scope tags* > **Next**
-1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-1. Review the policy configuration and select **Create**
-
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
-
-#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
-
-## Configure Windows Hello for Business using group policies
-
-For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
-It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group.
-
-The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
-
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
-
-### Enable Windows Hello for Business group policy setting
-
-The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\
-You can configure the *Enable Windows Hello for Business* setting for computer or users:
-
-- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment
-- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment
-
-If both user and computer policy settings are deployed, the user policy setting has precedence.
-
-### Enable and configure Windows Hello for Business
-
-Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
-
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Right-click **Group Policy object** and select **New**
-1. Type *Enable Windows Hello for Business* in the name box and select **OK**
-1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit**
-1. In the navigation pane, expand **Policies** under **User Configuration**
-1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**
-1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK**
-1. Close the **Group Policy Management Editor**
-
-> [!NOTE]
-> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*.
+> [!div class="checklist"]
+> Once the prerequisites are met and the PKI configuration is validated, deploying Windows Hello for Business consists of the following steps:
>
-> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business).
+> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings)
+> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business)
-### Configure security for GPO
+## Configure Windows Hello for Business policy settings
-The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.
+There's one policy setting required to enable Windows Hello for Business in a key trust model:
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Open the **Enable Windows Hello for Business** GPO
-1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users > Advanced**
-1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
+- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business)
-### Deploy the Windows Hello for Business Group Policy object
+Another optional, but recommended, policy setting is:
-The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device)
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
-1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
+The following instructions describe how to configure your devices using either Microsoft Intune or group policy (GPO).
-### Add members to the targeted group
+# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune)
-Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.
+> [!NOTE]
+> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business.
+
+If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business).
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Require Security Device | true |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
- **Data type:** `bool`
- **Value:** `True`|
+| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
- **Data type:** `bool`
- **Value:** `True`|
+
+# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)]
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
---
+If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources)
+
+Other policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
## Enroll in Windows Hello for Business
The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
-This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
:::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png":::
-### PIN Setup
+### User experience
-The following process occurs after a user signs in, to enroll in Windows Hello for Business:
+[!INCLUDE [user-experience](includes/user-experience.md)]
-1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
-1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
-1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
-:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
+After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory.
> [!IMPORTANT]
> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
+> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and access on-premises resources.
> Read [Microsoft Entra Connect Sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
+### Sequence diagrams
+
+To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type:
+
+- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication)
+- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication)
+- [Provisioning in a hybrid key trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-key-trust-deployment-model-with-managed-authentication)
+
+To better understand the authentication flows, review the following sequence diagram:
+
+- [Microsoft Entra hybrid join authentication using a key](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-key)
+- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key)
+
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
-
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/protect/security-baselines
-[MEM-3]: /mem/intune/configuration/custom-settings-configure
-[MEM-4]: /windows/client-management/mdm/passportforwork-csp
-[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
deleted file mode 100644
index 2fa08c15c9..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in a hybrid key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model.
-ms.date: 01/03/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-# Configure and validate the Public Key Infrastructure - hybrid key trust
-
-[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-
-Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
-
-A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
-
-## Deploy an enterprise certification authority
-
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\
-If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session.
-
-### Lab-based PKI
-
-The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-
-Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
-
->[!NOTE]
->Never install a certification authority on a domain controller in a production environment.
-
-1. Open an elevated Windows PowerShell prompt
-1. Use the following command to install the Active Directory Certificate Services role.
- ```PowerShell
- Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
- ```
-1. Use the following command to configure the CA using a basic certification authority configuration
- ```PowerShell
- Install-AdcsCertificationAuthority
- ```
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-> [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
-
-> [!IMPORTANT]
-> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
->
-> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish the certificate template to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
-1. Close the console
-
-> [!IMPORTANT]
-> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-## Section review and next steps
-
-Before moving to the next section, ensure the following steps are complete:
-
-> [!div class="checklist"]
->
-> - Configure domain controller certificates
-> - Supersede existing domain controller certificates
-> - Unpublish superseded certificate templates
-> - Publish the certificate template to the CA
-> - Deploy certificates to the domain controllers
-> - Validate the domain controllers configuration
-
-> [!div class="nextstepaction"]
-> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md)
-
-
-[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
-[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)
-[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 2b0ec7021d..e5a08f2117 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -1,109 +1,93 @@
---
-title: Windows Hello for Business hybrid key trust deployment
+title: Windows Hello for Business hybrid key trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 12/28/2022
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: how-to
+ms.date: 01/03/2024
+ms.topic: tutorial
---
-# Hybrid key trust deployment
+
+# Hybrid key trust deployment guide
[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)]
-Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
-
-This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
-
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md).
-It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
-
-## Prerequisites
-
-The following prerequisites must be met for a hybrid key trust deployment:
+[!INCLUDE [requirements](includes/requirements.md)]
> [!div class="checklist"]
-> * Directories and directory synchronization
-> * Authentication to Microsoft Entra ID
-> * Device registration
-> * Public Key Infrastructure
-> * Multifactor authentication
-> * Device management
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-### Directories and directory synchronization
-
-Hybrid Windows Hello for Business needs two directories:
-
-- An on-premises Active Directory
-- A Microsoft Entra tenant
-
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
-During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
-
-> [!NOTE]
-> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
-
-
-
-### Authentication to Microsoft Entra ID
-
-Authentication to Microsoft Entra ID can be configured with or without federation:
-
-- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
-- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
-
-### Device registration
-
-The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
-For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
-
-### Public Key Infrastructure
-
-An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
-
-
-
-### Multifactor authentication
-
-The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
-Hybrid deployments can use:
-
-- [Microsoft Entra multifactor authentication][AZ-2]
-- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
-
-For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
-
-### Device management
-
-To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy.
-
-## Next steps
-
-Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps:
+## Deployment steps
> [!div class="checklist"]
-> * Configure and validate the PKI
-> * Configure Windows Hello for Business settings
-> * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Microsoft Entra joined devices
+> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Configure and enroll in Windows Hello for Business](hybrid-key-trust-enroll.md)
+> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md)
+
+## Configure and validate the Public Key Infrastructure
+
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+
+Key trust deployments don't need client-issued certificates for on-premises authentication. *Microsoft Entra Connect Sync* configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink` attribute).
+
+A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish the certificate template to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue**
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK**
+1. Close the console
+
+> [!IMPORTANT]
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md).
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller certificate template
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Publish the certificate template to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md)
+> [Next: configure and enroll in Windows Hello for Business >](hybrid-key-trust-enroll.md)
-[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
-[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication
-[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next
-[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
-[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
-[AZ-6]: /azure/active-directory/hybrid/whatis-phs
-[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
-[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
-
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
+[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png
deleted file mode 100644
index f327f79f32..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
index ace95add6b..c9cb511415 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
+++ b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg
@@ -1,3 +1,9 @@
-
\ No newline at end of file
+
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif
deleted file mode 100644
index 7bff02eada..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png
deleted file mode 100644
index e9d0876738..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png
deleted file mode 100644
index fd6644b8b7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png
deleted file mode 100644
index ec2ba07684..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png
deleted file mode 100644
index b5ff9bbb58..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md
new file mode 100644
index 0000000000..04964c59b0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md
@@ -0,0 +1,95 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+## Additional federation servers
+
+Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
+
+### Server authentication certificate
+
+Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
+
+### Install additional servers
+
+Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
+
+## Load balance AD FS
+
+Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+
+### Install Network Load Balancing Feature on AD FS Servers
+
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
+
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage** and then select **Add Roles and Features**
+1. Select **Next** On the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
+1. On the **Select server roles** page, select **Next**
+1. Select **Network Load Balancing** on the **Select features** page
+1. Select **Install** to start the feature installation
+
+### Configure Network Load Balancing for AD FS
+
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
+
+Sign-in a node of the federation farm with *Administrator* equivalent credentials.
+
+1. Open **Network Load Balancing Manager** from **Administrative Tools**
+1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
+1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
+1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
+1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
+1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
+1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
+1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
+1. In Port Rules, select Edit to modify the default port rules to use port 443
+
+### Additional AD FS Servers
+
+1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
+1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
+
+## Configure DNS for Device Registration
+
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
+You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+
+1. Open the **DNS Management** console
+1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
+1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
+1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
+1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
+1. Right-click the `
|
+ | *General* |
|
+ | *Subject Name* |
|
+ |*Cryptography*|
|
+ |*Request Handling*|Select the **Renew with same key** check box|
+ |*Security*|
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
+
+#### Mark the template as the Windows Hello Sign-in template
+
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials
+
+Open an elevated command prompt end execute the following command
+
+```cmd
+certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
+```
+
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example:
+
+```cmd
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE<
|
+ | *General* |
|
+ | *Subject Name* | Select **Supply in the request**
**Note:** Group Managed Service Accounts (GMSA) don't support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.|
+ | *Cryptography* |
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
+
+#### Create an enrollment agent certificate for a standard service account
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
+1. Use the following table to configure the template:
+
+ | Tab Name | Configurations |
+ | --- | --- |
+ | *Compatibility* |
|
+ | *General* |
|
+ | *Subject Name* |
|
+ |*Cryptography*|
|
+ | *Security* |
|
+
+1. Select **OK** to finalize your changes and create the new template
+1. Close the console
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
similarity index 98%
rename from windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
index 1bde4860fe..c75a03a96f 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
index 07d8c9cc38..77fad7cbbf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
@@ -29,4 +29,3 @@ Sign in to domain controller or management workstations with *Domain Administrat
1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…**
1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
1. Select **OK**
-
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
index 92853ac52e..e2d6f588de 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
index ec0faae68f..87e7467d71 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
@@ -11,14 +11,14 @@ Confirm your domain controllers enroll the correct certificates and not any supe
Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
-1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log
+1. Using the Event Viewer, navigate to the **Application and Services** > **Microsoft** > **Windows** > **CertificateServices-Lifecycles-System** event log
1. Look for an event indicating a new certificate enrollment (autoenrollment):
- The details of the event include the certificate template on which the certificate was issued
- The name of the certificate template used to issue the certificate should match the certificate template name included in the event
- The certificate thumbprint and EKUs for the certificate are also included in the event
- The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
-Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+Certificates superseded by your new domain controller certificate generate an *archive event* in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
### Certificate Manager
@@ -26,9 +26,17 @@ You can use the Certificate Manager console to validate the domain controller ha
### Certutil.exe
-You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates.
+You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:
-To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
+```cmd
+certutil.exe -q -store my
+```
+
+To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command:
+
+```cmd
+certutil.exe -q -v -store my
+```
### Troubleshooting
@@ -36,4 +44,4 @@ Windows triggers automatic certificate enrollment for the computer during boot,
Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt.
-Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
\ No newline at end of file
+Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the *allow* auto enrollment permissions.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
deleted file mode 100644
index 8e3cfc064b..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-ms.date: 12/15/2023
-ms.topic: include
----
-
-### Configure an enrollment agent certificate template
-
-A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
-
-The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
-
-> [!IMPORTANT]
-> Follow the procedures below based on the AD FS service account used in your environment.
-
-#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
-
-Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
- - Clear the **Show resulting changes** check box
- - Select **Windows Server 2016** from the **Certification Authority** list.
- - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
- - Type *WHFB Enrollment Agent* in **Template display name**
- - Adjust the validity and renewal period to meet your enterprise's needs
-1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
-
- > [!NOTE]
- > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
-
-1. On the **Cryptography** tab:
- - Select **Key Storage Provider** from the **Provider Category** list
- - Select **RSA** from the **Algorithm name** list
- - Type *2048* in the **Minimum key size** text box
- - Select **SHA256** from the **Request hash** list
-1. On the **Security** tab, select **Add**
-1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
-1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
-1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
- - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
- - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
- - Select **OK**
-1. Close the console
-
-#### Create an enrollment agent certificate for a standard service account
-
-Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
-1. On the **Compatibility** tab:
- - Clear the **Show resulting changes** check box
- - Select **Windows Server 2016** from the **Certification Authority** list.
- - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
-1. On the **General** tab:
- - Type *WHFB Enrollment Agent* in **Template display name**
- - Adjust the validity and renewal period to meet your enterprise's needs
-1. On the **Subject** tab:
- - Select the **Build from this Active Directory information** button
- - Select **Fully distinguished name** from the **Subject name format**
- - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
-1. On the **Cryptography** tab:
- - Select **Key Storage Provider** from the **Provider Category** list
- - Select **RSA** from the **Algorithm name** list
- - Type *2048* in the **Minimum key size** text box
- - Select **SHA256** from the **Request hash** list
-1. On the **Security** tab, select **Add**
-1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
-1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
-1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
- - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
- - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
- - Select **OK**
-1. Close the console
-
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
new file mode 100644
index 0000000000..4a2a01ac0b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md
@@ -0,0 +1,11 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+You can configure the [Use Windows Hello for Business](../../policy-settings.md#use-windows-hello-for-business) policy setting in the computer or user node of a GPO:
+
+- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment
+- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment
+
+If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
index 89062e7d07..6f98abf51b 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-This document describes Windows Hello for Business functionalities or scenarios that apply to:
\ No newline at end of file
+**This article describes Windows Hello for Business functionalities or scenarios that apply to:**
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
index 2ccadb00cb..c0ad0664a4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md
new file mode 100644
index 0000000000..86a5353764
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md
@@ -0,0 +1,10 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+## Requirements
+
+Before starting the deployment, review the requirements described in the [Plan a Windows Hello for Business Deployment](../index.md) article.
+
+Ensure that the following requirements are met before you begin:
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
index fa5e9a3489..128a9cd1a5 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
+[cloud-only :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
index d273002ddd..7ebb44bfc0 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
+[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
index 5594bf39dd..6406e82fc4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
+[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
index 5e4dd851b9..512be88987 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md)
+[domain join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Active Directory joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
index dbddf38006..05bbdd63e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
+[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra joined don't have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
index 206857ace8..b878a41559 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
+[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
index 8719e2a1cc..17ffcc98b4 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md
@@ -1,6 +1,6 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
-[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
+[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
index 57fd74f5c3..58bad86a1c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
+[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
index 3bbbe2214f..41d9b6cdf9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
ms.topic: include
---
-[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
+[key trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
index 22db188040..94d2e088de 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md
@@ -1,5 +1,5 @@
---
-ms.date: 12/15/2023
+ms.date: 01/03/2024
ms.topic: include
---
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
new file mode 100644
index 0000000000..e8185673e6
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md
@@ -0,0 +1,12 @@
+---
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+After a user signs in, the Windows Hello for Business enrollment process begins:
+
+1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 46c44a5c62..061c4a62e1 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -1,65 +1,310 @@
---
-title: Windows Hello for Business Deployment Overview
-description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-ms.date: 02/15/2022
+title: Plan a Windows Hello for Business Deployment
+description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
+ms.date: 01/02/2024
ms.topic: overview
-appliesto:
---
-# Windows Hello for Business Deployment Overview
+# Plan a Windows Hello for Business deployment
-Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
+This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
-This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization.
+This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure.
-Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+> [!TIP]
+> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
-## Requirements
+## Using this guide
-This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+There are many options available for deploying Windows Hello for Business, ensuring compatibility with various organizational infrastructures. While the deployment process may appear complex, most organizations will find that they have already implemented the necessary infrastructure. It is important to note that Windows Hello for Business is a distributed system and requires proper planning across multiple teams within an organization.
-- A well-connected, working network
-- Internet access
-- Multi-factor Authentication is required during Windows Hello for Business provisioning
-- Proper name resolution, both internal and external names
-- Active Directory and an adequate number of domain controllers per site to support authentication
-- Active Directory Certificate Services 2012 or later (Note: certificate services aren't needed for cloud Kerberos trust deployments)
-- One or more workstation computers running Windows 10, version 1703 or later
+This guide aims to simplify the deployment process by helping you make informed decisions about each aspect of your Windows Hello for Business deployment. It provides information on the options available and assists in selecting the deployment approach that best suits your environment.
-If you're installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
+### How to proceed
-Don't begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
+Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment.
-## Deployment and trust models
+There are seven main areas to consider when planning a Windows Hello for Business deployment:
-Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
+> [!div class="checklist"]
+>
+> - [Deployment options](#deployment-options)
+> - [Public Key Infrastructure (PKI) requirements](#pki-requirements)
+> - [Authentication to Microsoft Entra ID requirements](#authentication-to-microsoft-entra-id)
+> - [Device configuration options](#device-configuration-options)
+> - [Licensing for cloud services requirements](#licensing-for-cloud-services-requirements)
+> - [Operating System requirements](#operating-system-requirements)
+> - [Prepare users](#prepare-users)
-Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest.
+## Deployment options
-The trust model determines how you want users to authenticate to the on-premises Active Directory:
+The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
-- The key-trust model is for enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
-- The cloud-trust model is also for hybrid enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and doesn't require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
-- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
-- The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers.
+### Deployment models
-> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md).
+It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment might have already been decided for you based on your current infrastructure.
-Following are the various deployment guides and models included in this topic:
+There are three deployment models from which you can choose:
-- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md)
-- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md)
-- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md)
-- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md)
-- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md)
-- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md)
+| | Deployment model | Description |
+|--|--|--|
+| **🔲** | **Cloud-only** | For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services. |
+| **🔲** | **Hybrid** | For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources. |
+| **🔲** | **On-premises** | For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want an SSO user experiences when accessing them. |
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments.
+>[!NOTE]
+>
+>- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests"
+>- Migration from on-premise to hybrid deployment requires redeployment
-## Provisioning
+### Trust types
-Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. The trust type doesn't affect authentication to Microsoft Entra ID. For this reason, the trust type isn't applicable to a cloud-only deployment model.
-> [!NOTE]
-> You must allow access to the URL `account.microsoft.com` to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL doesn't require any authentication and as such, doesn't collect any user data.
+Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
+
+The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other.
+
+The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect.
+
+There are three trust types from which you can choose:
+
+|| Trust type | Description |
+|--|--|--|
+| **🔲**| **Cloud Kerberos**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. |
+| **🔲**| **Key**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. |
+| **🔲**| **Certificate**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. |
+
+*Key trust* and *certificate trust* use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
+
+The goal of Windows Hello for Business cloud Kerberos trust is to provide a simpler deployment experience, when compared to the other trust types:
+
+- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
+- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
+- [FIDO2 security key sign-in][ENTRA-1] can be deployed with minimal extra setup
+
+> [!TIP]
+> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
+
+Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1].
+
+## PKI requirements
+
+Cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates. The other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication:
+
+- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate
+- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA
+- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources
+
+| | Deployment model | Trust type | PKI required? |
+|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | no |
+| **🔲** | **Hybrid** | Cloud Kerberos | no |
+| **🔲** | **Hybrid** | Key | yes |
+| **🔲** | **Hybrid** | Certificate | yes |
+| **🔲** | **On-premises** | Key | yes |
+| **🔲** | **On-premises** | Certificate | yes |
+
+## Authentication to Microsoft Entra ID
+
+Users can authenticate to Microsoft Entra ID using federated authentication or cloud (nonfederated) authentication. Requirements vary based on trust type:
+
+| | Deployment model | Trust type | Authentication to Microsoft Entra ID | Requirements |
+|--|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | Cloud authentication | n/a |
+| **🔲** | **Cloud-only** | n/a | Federated authentication | Third-party federation service |
+| **🔲** | **Hybrid** | Cloud Kerberos trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
+| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Key trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
+| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Certificate trust | Federated authentication | This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS|
+
+To learn more:
+
+- [Federation with Microsoft Entra ID][ENTRA-10]
+- [Password hash synchronization (PHS)][ENTRA-6]
+- [Pass-through authentication (PTA)][ENTRA-7]
+
+### Device registration
+
+For on-premises deployments, the server running the Active Directory Federation Services (AD FS) role is responsible for device registration. For cloud-only and hybrid deployments, devices must register in Microsoft Entra ID.
+
+| Deployment model | Supported join type | Device registration service provider |
+|-|-|-|
+| **Cloud-only** |Microsoft Entra joined
Microsoft Entra registered|Microsoft Entra ID |
+| **Hybrid** |Microsoft Entra joined
Microsoft Entra hybrid joined
Microsoft Entra registered|Microsoft Entra ID|
+| **On-premises** | Active Directory domain joined | AD FS |
+
+> [!IMPORTANT]
+> For *Microsoft Entra hybrid joined* guidance, review [Plan your Microsoft Entra hybrid join implementation][ENTRA-5].
+
+### Multifactor authentication
+
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
+
+- For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
+- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2]
+
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
+
+|| Deployment model | MFA options |
+|--|--|--|
+| **🔲** | **Cloud-only** | Microsoft Entra MFA |
+| **🔲** | **Cloud-only** | Third-party MFA via Microsoft Entra ID custom controls or federation |
+| **🔲** | **Hybrid** | Microsoft Entra MFA |
+| **🔲** | **Hybrid** | Third-party MFA via Microsoft Entra ID custom controls or federation|
+| **🔲** | **On-premises** | AD FS MFA adapter |
+
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
+
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+
+#### MFA and federated authentication
+
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
+
+```powershell
+Connect-MgGraph
+$DomainId = "
- Windows 11 21H2, with [KB5010414][KB-2] and later |
+| **🔲** | **Hybrid** | Key | All supported versions |
+| **🔲** | **Hybrid** | Certificate | All supported versions |
+| **🔲** | **On-premises** | Key| All supported versions |
+| **🔲** | **On-premises** | Certificate | All supported versions |
+
+### Windows Server requirements
+
+All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions:
+
+| | Deployment model | Trust type | Domain Controller OS version |
+|--|--|--|--|
+| **🔲** | **Cloud-only** | n/a | All supported versions |
+| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later
- Windows Server 2019, with [KB4534321][KB-4] and later
- Windows Server 2022 |
+| **🔲** | **Hybrid** | Key | All supported versions |
+| **🔲** | **Hybrid** | Certificate | All supported versions |
+| **🔲** | **On-premises** | Key | All supported versions |
+| **🔲** | **On-premises** | Certificate | All supported versions |
+
+## Prepare users
+
+When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to provision and use Windows Hello.
+
+To learn more, see [Prepare users](prepare-users.md).
+
+## Next steps
+
+Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization.
+
+> [!div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"]
+> To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists:
+>
+> - [(cloud-only|n/a)](cloud-only.md)
+> - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md)
+> - [(hybrid | key trust)](hybrid-key-trust.md)
+> - [(hybrid | certificate trust)](hybrid-cert-trust.md)
+> - [(on-premises | key trust)](on-premises-key-trust.md)
+> - [(on-premises | certificate trust)](on-premises-cert-trust.md)
+
+
+
+[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
+[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
+[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
+[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
+[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
+[ENTRA-6]: /entra/identity/hybrid/connect/whatis-phs
+[ENTRA-7]: /entra/identity/hybrid/connect/how-to-connect-pta
+[ENTRA-8]: /entra/identity/conditional-access/overview
+[ENTRA-9]: /entra/identity/authentication/concept-mfa-licensing
+[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
+
+[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
+[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
+
+[KB-1]: https://support.microsoft.com/topic/5010415
+[KB-2]: https://support.microsoft.com/topic/5010414
+[KB-3]: https://support.microsoft.com/topic/4534307
+[KB-4]: https://support.microsoft.com/topic/4534321
+[MEM-1]: /mem/intune/enrollment/quickstart-setup-auto-enrollment
+[WIN-1]: /windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 1757f9c6b1..335e4d5cb6 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -1,180 +1,44 @@
---
-title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
-description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Configure Active Directory Federation Services in an on-premises certificate trust model
+description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
+ms.date: 01/03/2024
ms.topic: tutorial
---
# Prepare and deploy Active Directory Federation Services - on-premises certificate trust
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
+[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)]
-Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*.
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* (CRA) and *device registration*.
-The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
-WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
-To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+[!INCLUDE [adfs-validate](includes/adfs-validate.md)]
-A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-
-Prepare the AD FS deployment by installing and **updating** two Windows Servers.
-
-## Enroll for a TLS server authentication certificate
-
-Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-
-The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
-
- - **Subject Name**: the internal FQDN of the federation server
- - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
-
-The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
-
-You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-### AD FS authentication certificate enrollment
-
-Sign-in the federation server with *domain administrator* equivalent credentials.
-
-1. Start the Local Computer **Certificate Manager** (certlm.msc)
-1. Expand the **Personal** node in the navigation pane
-1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
-1. Select **Next** on the **Before You Begin** page
-1. Select **Next** on the **Select Certificate Enrollment Policy** page
-1. On the **Request Certificates** page, select the **Internal Web Server** check box
-1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
- :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Screenshot that shows example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
-1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
-1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
-1. Select **Enroll**
-
-A server authentication certificate should appear in the computer's personal certificate store.
-
-## Deploy the AD FS role
-
-AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model:
-
-- Device registration
-- Key registration
-- Certificate registration authority (CRA)
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage > Add Roles and Features**
-1. Select **Next** on the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
-1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
-1. Select **Next** on the **Select features** page
-1. Select **Next** on the **Active Directory Federation Service** page
-1. Select **Install** to start the role installation
-
-## Review to validate the AD FS deployment
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-> [!div class="checklist"]
-> * Confirm the AD FS farm uses the correct database configuration
-> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
-> * Confirm **all** AD FS servers in the farm have the latest updates installed
-> * Confirm all AD FS servers have a valid server authentication certificate
-
-## Device registration service account prerequisites
-
-The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
-
-GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-
-### Create KDS Root Key
-
-Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-
-Start an elevated PowerShell console and execute the following command:
-```PowerShell
-Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
-```
-
-## Configure the Active Directory Federation Service Role
-
-Use the following procedures to configure AD FS.
-
-Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**
-1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
-1. On the **Welcome** page, select **Create the first federation server farm > Next**
-1. On the **Connect to Active Directory Domain Services** page, select **Next**
-1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
-1. Select the federation service name from the **Federation Service Name** list
-1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
-1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
-1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
-1. On the **Review Options** page, select **Next**
-1. On the **Pre-requisite Checks** page, select **Configure**
-1. When the process completes, select **Close**
+[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
> [!NOTE]
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
-> 2. Right-click **Scope Descriptions** and select **Add Scope Description**
-> 3. Under name type *ugs* and select **Apply > OK**
-> 4. Launch PowerShell as an administrator and execute the following commands:
-> ```PowerShell
-> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
-> ```
-> 7. Restart the AD FS service
-> 8. Restart the client. User should be prompted to provision Windows Hello for Business
-
-### Add the AD FS service account to the *Key Admins* group
-
-During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-
-Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select the **Users** container in the navigation pane
-1. Right-click **Key Admins** in the details pane and select **Properties**
-1. Select the **Members > Add…**
-1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
-1. Select **OK** to return to **Active Directory Users and Computers**
-1. Change to server hosting the AD FS role and restart it
-
-Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Open the **AD FS management** console
-1. In the navigation pane, expand **Service**. Select **Device Registration**
-1. In the details pane, select **Configure device registration**
-1. In the **Configure Device Registration** dialog, Select **OK**
-
-:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point.":::
-
-Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-
-:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS.":::
+> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
+> 1. Under name type *ugs* and select **Apply > OK**
+> 1. Launch PowerShell as an administrator and execute the following commands:
+>
+> ```PowerShell
+> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
+> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
+> ```
+>
+> 1. Restart the AD FS service
+> 1. Restart the client. User should be prompted to provision Windows Hello for Business
## Review to validate the AD FS and Active Directory configuration
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
> [!div class="checklist"]
-> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
-> * Confirm you added the AD FS service account to the KeyAdmins group
-> * Confirm you enabled the Device Registration service
+> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+>
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Confirm you added the AD FS service account to the KeyAdmins group
+> - Confirm you enabled the Device Registration service
## Configure the certificate registration authority
@@ -187,6 +51,7 @@ Open a **Windows PowerShell** prompt and type the following command:
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
```
+
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
@@ -196,111 +61,7 @@ AD FS performs its own certificate lifecycle management. Once the registration a
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
-## Additional federation servers
-
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-
-### Server authentication certificate
-
-Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-
-### Install additional servers
-
-Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-
-## Load balance AD FS
-
-Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
-
-### Install Network Load Balancing Feature on AD FS Servers
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage** and then select **Add Roles and Features**
-1. Select **Next** On the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
-1. On the **Select server roles** page, select **Next**
-1. Select **Network Load Balancing** on the **Select features** page
-1. Select **Install** to start the feature installation
-
-### Configure Network Load Balancing for AD FS
-
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-
-Sign-in a node of the federation farm with *Administrator* equivalent credentials.
-
-1. Open **Network Load Balancing Manager** from **Administrative Tools**
-1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
-1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
-1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
-1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
-1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
-1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
-1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
-1. In Port Rules, select Edit to modify the default port rules to use port 443
-
-### Additional AD FS Servers
-
-1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
-1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
-
-## Configure DNS for Device Registration
-
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
-You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-
-1. Open the **DNS Management** console
-1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
-1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
-1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
-1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
-1. Right-click the `
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**|
+| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
or
**User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
- Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
- Select **Update certificates that use certificate templates**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+> [!NOTE]
+> The enablement of the *Use a hardware security device* policy setting is optional, but recommended.
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
+
+You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment.
+
+The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+
+The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
+
+### Sequence diagram
+
+To better understand the provisioning flows, review the following sequence diagram:
+
+- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
+
+
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md
deleted file mode 100644
index 35fd08dd4d..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-
-# Validate and deploy multifactor authentication - on-premises certificate trust
-
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-
-Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
-
-- third-party authentication providers for AD FS
-- custom authentication provider for AD FS
-
-> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
-
-For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method).
-
-Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
-
-> [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings >](on-premises-cert-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
deleted file mode 100644
index 2c8db04a8f..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
-description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-
-# Configure and validate the Public Key Infrastructure - on-premises certificate trust
-
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
-
-[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
-
-[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)]
-
-[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish certificate templates to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-> [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
index 4c3f3c04e8..6bd1a94800 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
@@ -1,43 +1,94 @@
---
-title: Deployment guide for the on-premises certificate trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
-ms.date: 12/15/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Windows Hello for Business on-premises certificate trust deployment guide
+description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Deployment guide for the on-premises certificate trust model
+# On-premises certificate trust deployment guide
-[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)]
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment.
+[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
-There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model:
+[!INCLUDE [requirements](includes/requirements.md)]
-1. [Validate and configure a PKI](on-premises-cert-trust-pki.md)
-1. [Prepare and deploy AD FS](on-premises-cert-trust-adfs.md)
-1. [Validate and deploy multi-factor authentication (MFA)](on-premises-cert-trust-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](on-premises-cert-trust-enroll.md)
+> [!div class="checklist"]
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Windows requirements](index.md#windows-requirements)
+> - [Windows Server requirements](index.md#windows-server-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-## Create the Windows Hello for Business Users security group
+## Deployment steps
-While this is not a required step, it is recommended to create a security group to simplify the deployment.
+Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+> [!div class="checklist"]
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md)
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+## Configure and validate the Public Key Infrastructure
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
+[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
+
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
+
+[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
+
+[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller and web server certificate templates
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Configure an enrollment agent certificate template
+> - Publish the certificate templates to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index 4446ced825..12685b46eb 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -1,264 +1,46 @@
---
-ms.date: 09/07/2023
-title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
-description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+title: Configure Active Directory Federation Services in an on-premises key trust model
+description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
+ms.date: 01/03/2024
ms.topic: tutorial
---
+
# Prepare and deploy Active Directory Federation Services - on-premises key trust
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
-The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
-WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
-To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+[!INCLUDE [adfs-validate](includes/adfs-validate.md)]
-A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-
-Prepare the AD FS deployment by installing and **updating** two Windows Servers.
-
-## Enroll for a TLS server authentication certificate
-
-Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-
-The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
- - **Subject Name**: the internal FQDN of the federation server
- - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
-
-The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
-
-You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-
-### AD FS authentication certificate enrollment
-
-Sign-in the federation server with *domain administrator* equivalent credentials.
-
-1. Start the Local Computer **Certificate Manager** (certlm.msc)
-1. Expand the **Personal** node in the navigation pane
-1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
-1. Select **Next** on the **Before You Begin** page
-1. Select **Next** on the **Select Certificate Enrollment Policy** page
-1. On the **Request Certificates** page, select the **Internal Web Server** check box
-1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
- :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
-1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
-1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
-1. Select **Enroll**
-
-A server authentication certificate should appear in the computer's personal certificate store.
-
-## Deploy the AD FS role
-
-AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments.
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage > Add Roles and Features**
-1. Select **Next** on the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
-1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
-1. Select **Next** on the **Select features** page
-1. Select **Next** on the **Active Directory Federation Service** page
-1. Select **Install** to start the role installation
-
-## Review to validate the AD FS deployment
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-> [!div class="checklist"]
-> * Confirm the AD FS farm uses the correct database configuration
-> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
-> * Confirm **all** AD FS servers in the farm have the latest updates installed
-> * Confirm all AD FS servers have a valid server authentication certificate
-
-## Device registration service account prerequisites
-
-The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
-
-GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-
-### Create KDS Root Key
-
-Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-
-Start an elevated PowerShell console and execute the following command:
-```PowerShell
-Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
-```
-
-## Configure the Active Directory Federation Service Role
-
-Use the following procedures to configure AD FS.
-
-Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**
-1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
-1. On the **Welcome** page, select **Create the first federation server farm > Next**
-1. On the **Connect to Active Directory Domain Services** page, select **Next**
-1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
-1. Select the federation service name from the **Federation Service Name** list
-1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
-1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
-1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
-1. On the **Review Options** page, select **Next**
-1. On the **Pre-requisite Checks** page, select **Configure**
-1. When the process completes, select **Close**
-
-### Add the AD FS service account to the *Key Admins* group
-
-During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-
-Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-
-1. Open **Active Directory Users and Computers**
-1. Select the **Users** container in the navigation pane
-1. Right-click **Key Admins** in the details pane and select **Properties**
-1. Select the **Members > Add…**
-1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
-1. Select **OK** to return to **Active Directory Users and Computers**
-1. Change to server hosting the AD FS role and restart it
-
-## Configure the device registration service
-
-Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Open the **AD FS management** console
-1. In the navigation pane, expand **Service**. Select **Device Registration**
-1. In the details pane, select **Configure device registration**
-1. In the **Configure Device Registration** dialog, Select **OK**
-
-:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
-
-Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-
-:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
+[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
## Review to validate the AD FS and Active Directory configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
> [!div class="checklist"]
-> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
-> * Confirm you added the AD FS service account to the KeyAdmins group
-> * Confirm you enabled the Device Registration service
+>
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Confirm you added the AD FS service account to the KeyAdmins group
+> - Confirm you enabled the Device Registration service
-## Additional federation servers
+[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)]
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-
-### Server authentication certificate
-
-Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-
-### Install additional servers
-
-Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-
-## Load balance AD FS
-
-Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
-
-### Install Network Load Balancing Feature on AD FS Servers
-
-Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-
-1. Start **Server Manager**. Select **Local Server** in the navigation pane
-1. Select **Manage** and then select **Add Roles and Features**
-1. Select **Next** On the **Before you begin** page
-1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
-1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
-1. On the **Select server roles** page, select **Next**
-1. Select **Network Load Balancing** on the **Select features** page
-1. Select **Install** to start the feature installation
-
-### Configure Network Load Balancing for AD FS
-
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-
-Sign-in a node of the federation farm with *Administrator* equivalent credentials.
-
-1. Open **Network Load Balancing Manager** from **Administrative Tools**
-1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
-1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
-1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
-1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
-1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
-1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
-1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
-1. In Port Rules, select Edit to modify the default port rules to use port 443
-
-### Additional AD FS Servers
-
-1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
-1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
-
-## Configure DNS for Device Registration
-
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
-You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-
-1. Open the **DNS Management** console
-1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
-1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
-1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
-1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
-1. Right-click the `
or
**User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**|
+| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**|
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+> [!TIP]
+> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.
+
+Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md).
+
+## Enroll in Windows Hello for Business
+
+The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass.
+
+You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\
+This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4].
+
+### User experience
+
+[!INCLUDE [user-experience](includes/user-experience.md)]
+
+### Sequence diagram
+
+To better understand the provisioning flows, review the following sequence diagram:
+
+- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
+
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
deleted file mode 100644
index 6d7aef36c5..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
-description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
-ms.date: 09/07/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
-ms.topic: tutorial
----
-# Configure and validate the Public Key Infrastructure - on-premises key trust
-
-[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-
-Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-
-[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
-
-## Configure the enterprise PKI
-
-[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
-
-[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
-
-[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)]
-
-[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
-
-### Publish certificate templates to the CA
-
-A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
-
-Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
-
-## Configure and deploy certificates to domain controllers
-
-[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
-
-## Validate the configuration
-
-[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
-
-> [!div class="nextstepaction"]
-> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
index 961219b27e..a5a2281196 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
@@ -1,35 +1,86 @@
---
-title: Windows Hello for Business deployment guide for the on-premises key trust model
-description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
-ms.date: 12/12/2022
+title: Windows Hello for Business on-premises key trust deployment guide
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
+ms.date: 01/03/2024
ms.topic: tutorial
---
-# Deployment guide overview - on-premises key trust
+# On-premises key trust deployment guide
[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)]
-Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
+[!INCLUDE [requirements](includes/requirements.md)]
-1. [Validate and configure a PKI](on-premises-key-trust-pki.md)
-1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md)
-1. [Validate and deploy multifactor authentication (MFA)](on-premises-key-trust-mfa.md)
-1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md)
+> [!div class="checklist"]
+>
+> - [Public Key Infrastructure](index.md#pki-requirements)
+> - [Authentication](index.md#authentication-to-microsoft-entra-id)
+> - [Device configuration](index.md#device-configuration-options)
+> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements)
+> - [Windows requirements](index.md#windows-requirements)
+> - [Windows Server requirements](index.md#windows-server-requirements)
+> - [Prepare users to use Windows Hello](prepare-users.md)
-## Create the Windows Hello for Business Users security group
+## Deployment steps
-While this isn't a required step, it's recommended to create a security group to simplify the deployment.
+Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps:
-The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+> [!div class="checklist"]
+>
+> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure)
+> - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md)
+> - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md)
-Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
+## Configure and validate the Public Key Infrastructure
-1. Open **Active Directory Users and Computers**
-1. Select **View > Advanced Features**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Select **New > Group**
-1. Type *Windows Hello for Business Users* in the **Group Name**
-1. Select **OK**
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
+
+[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
+
+## Configure the enterprise PKI
+
+[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)]
+
+[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
+
+[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
+
+[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
+
+### Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+## Configure and deploy certificates to domain controllers
+
+[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)]
+
+## Validate the configuration
+
+[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)]
+
+## Section review and next steps
+
+> [!div class="checklist"]
+> Before moving to the next section, ensure the following steps are complete:
+>
+> - Configure domain controller and web server certificate templates
+> - Supersede existing domain controller certificates
+> - Unpublish superseded certificate templates
+> - Publish the certificate templates to the CA
+> - Deploy certificates to the domain controllers
+> - Validate the domain controllers configuration
> [!div class="nextstepaction"]
-> [Next: validate and configure PKI >](on-premises-key-trust-pki.md)
\ No newline at end of file
+> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
new file mode 100644
index 0000000000..9dbdfc8a07
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@@ -0,0 +1,45 @@
+---
+title: Prepare users to provision and use Windows Hello for Business
+description: Learn how to prepare users to enroll and to use Windows Hello for Business.
+ms.date: 01/02/2024
+ms.topic: end-user-help
+---
+
+# Prepare users to provision and use Windows Hello for Business
+
+This article provides guidance on how to prepare users to enroll and to use Windows Hello for Business. It also provides guidance on how to communicate the benefits of Windows Hello for Business to users.
+
+## Multi-factor authentication
+
+The provisioning of Windows Hello requires users to authenticate with multi-factor (MFA). Ensure that you have a solution in place for users to use MFA during the process.
+
+> [!TIP]
+> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
+
+## Biometric gestures
+
+Depending on the hardware, users might be prompted to register their fingerprint or face. Explain to users that for convenience, they should register their biometric gesture during the provisioning process. The biometric gesture can be used to unlock the device and to authenticate to resources that require Windows Hello for Business. Biometric gestures are valid only on the enrolled device and are not stored outside the device.
+
+## User experience
+
+The next video shows the Windows Hello for Business enrollment experience after a user signs in with a password:
+
+1. Since the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture
+1. The user is prompted to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources. The unlock gesture is valid only on the enrolled device.
+
+> [!IMPORTANT]
+> Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
+
+The next video shows the Windows Hello for Business enrollment experience as part of the out-of-box-experience (OOBE) process:
+
+1. The user joins the device to Microsoft Entra ID and is prompted for MFA during the join process
+1. The device is Managed by Microsoft Intune and applies Windows Hello for Business policy settings
+1. After the user profile is loaded, but before the access to the desktop is granted, the user must enroll in Windows Hello
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d alt-text="Video showing the Windows Hello for Business enrollment steps after the out-of-box-experience process."]
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/deploy/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md
deleted file mode 100644
index 61dffe9d37..0000000000
--- a/windows/security/identity-protection/hello-for-business/deploy/requirements.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-ms.date: 10/09/2023
-title: Windows Hello for Business Deployment Prerequisite Overview
-description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.topic: overview
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
----
-
-# Windows Hello for Business Deployment Prerequisite Overview
-
-This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-
-
-
-## Microsoft Entra Cloud Only Deployment
-
-- Microsoft Entra ID
-- Microsoft Entra multifactor authentication
-- Device management solution (Intune or supported third-party MDM), *optional*
-- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
-
-## Hybrid Deployments
-
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-
-| Requirement | Cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed |
-| --- | --- | --- | --- | --- |
-| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions |
-| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
-| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
-| **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
-| **MFA Requirement** | Azure MFA, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
-| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required |
-| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required |
-
-## On-premises Deployments
-
-The table shows the minimum requirements for each deployment.
-
-| Requirement | Key trust
Group Policy managed | Certificate trust
Group Policy managed|
-| --- | --- | ---|
-| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions|
-| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema|
-| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| **Domain Controller Version**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **Certificate Authority**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **AD FS Version**| Any supported Windows Server versions | Any supported Windows Server versions |
-| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
index 87ab1eb026..55964be416 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml
@@ -1,29 +1,18 @@
items:
-- name: Windows Hello for Business deployment overview
+- name: Plan a Windows Hello for Business Deployment
href: index.md
-- name: Deployment prerequisite overview
- href: requirements.md
- name: Cloud-only deployment
- href: cloud.md
+ href: cloud-only.md
- name: Hybrid deployments
items:
- name: Cloud Kerberos trust deployment
- items:
- - name: Overview
- href: hybrid-cloud-kerberos-trust.md
- displayName: cloud Kerberos trust
- - name: Configure and provision Windows Hello for Business
- href: hybrid-cloud-kerberos-trust-enroll.md
- displayName: cloud Kerberos trust
+ href: hybrid-cloud-kerberos-trust.md
- name: Key trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: hybrid-key-trust.md
displayName: key trust
- - name: Configure and validate the PKI
- href: hybrid-key-trust-pki.md
- displayName: key trust
- - name: Configure and provision Windows Hello for Business
+ - name: Configure and enroll in Windows Hello for Business
href: hybrid-key-trust-enroll.md
displayName: key trust
- name: Configure SSO for Microsoft Entra joined devices
@@ -31,7 +20,7 @@ items:
displayName: key trust
- name: Certificate trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: hybrid-cert-trust.md
displayName: certificate trust
- name: Configure and validate Public Key Infrastructure (PKI)
@@ -53,25 +42,19 @@ items:
items:
- name: Key trust deployment
items:
- - name: Overview
- href: hybrid-cloud-kerberos-trust.md
- - name: Configure and validate the PKI
- href: on-premises-key-trust-pki.md
+ - name: Requirements and validation
+ href: on-premises-key-trust.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
href: on-premises-key-trust-adfs.md
- - name: Validate and deploy multi-factor authentication (MFA) services
- href: on-premises-key-trust-mfa.md
- - name: Configure Windows Hello for Business policy settings
+ - name: Configure and enroll in Windows Hello for Business
href: on-premises-key-trust-enroll.md
- name: Certificate trust deployment
items:
- - name: Overview
+ - name: Requirements and validation
href: on-premises-cert-trust.md
- - name: Configure and validate Public Key Infrastructure (PKI)
- href: on-premises-cert-trust-pki.md
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: on-premises-cert-trust-adfs.md
- - name: Validate and deploy multi-factor authentication (MFA)
- href: on-premises-cert-trust-mfa.md
- name: Configure and enroll in Windows Hello for Business
href: on-premises-cert-trust-enroll.md
+- name: Prepare users to provision and use Hello
+ href: prepare-users.md
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
similarity index 58%
rename from windows/security/identity-protection/hello-for-business/hello-faq.yml
rename to windows/security/identity-protection/hello-for-business/faq.yml
index 6f42bde365..1b9e0947ca 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -5,7 +5,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
ms.topic: faq
- ms.date: 12/08/2023
+ ms.date: 01/03/2024
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
@@ -17,45 +17,31 @@ sections:
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
- - question: How can a PIN be more secure than a password?
+ - question: Why a PIN is better than an online password
answer: |
- When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
- The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
- - question: How does Windows Hello for Business authentication work?
- answer: |
- When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
- These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
- For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md).
- - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process?
- answer: |
- Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
- At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
- - question: What's a container?
- answer: |
- In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
- The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID.
-
- > [!NOTE]
- > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
+ Three main reasons:
+ 1. **A PIN is tied to a device**: one important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it's set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device
+ 1. **A PIN is local to the device**: an online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key
+ 1. **A PIN is backed by hardware**: the Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked
- The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\
- :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys":::
-
- Containers can contain several types of key material:
- - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI.
+ The statement *A PIN is stronger than a password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature.
+ - question: What if someone steals the device?
+ answer: |
+ To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
+ - question: Why do you need a PIN to use biometrics?
+ answer: |
+ Windows Hello enables biometric sign-in with fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+ If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.
- question: How are keys protected?
answer: |
- Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+ Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IdP before the IdP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
- question: How does PIN caching work with Windows Hello for Business?
answer: |
Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.
- Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
+ Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.
- The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching.
+ The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
- question: Where is Windows Hello biometrics data stored?
answer: |
When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
@@ -65,34 +51,26 @@ sections:
- question: Who has access on Windows Hello biometrics data?
answer: |
Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
- - question: What's the difference between non-destructive and destructive PIN reset?
- answer: |
- Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
-
- Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
- question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
answer: |
- Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+ Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. An IT administrator may configure policy settings, but it's always a user's choice if they want to use biometrics or PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
- question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
answer: |
- To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+ To remove Windows Hello and any associated biometric identification data from the device, open **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- name: Management and operations
questions:
- - question: Can I deploy and manage Windows Hello for Business using Microsoft Intune?
- answer: |
- Yes, hybrid and cloud-only Windows Hello for Business deployments can use Microsoft Intune. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
- question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager?
answer: |
Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported.
- question: How do I delete a Windows Hello for Business container on a device?
answer: |
- You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device.
+ You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`.
- question: What happens when a user forgets their PIN?
answer: |
- If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app. Users can reset also their PIN from the lock screen by selecting the *I forgot my PIN* link on the PIN credential provider.
+ If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app or from the lock screen, by selecting the *I forgot my PIN* link on the PIN credential provider.
- For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
+ For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the *Windows Hello for Business PIN reset service* to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |
Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero').
@@ -118,9 +96,6 @@ sections:
- question: Can I disable the PIN while using Windows Hello for Business?
answer: |
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
- - question: What is Event ID 300?
- answer: |
- This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
- question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
answer: |
The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
@@ -144,7 +119,7 @@ sections:
No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
answer: |
- Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
+ Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
- question: Can I use third-party MFA providers with Windows Hello for Business?
answer: |
Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
@@ -166,19 +141,19 @@ sections:
Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
- question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
answer: |
- Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
+ Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
- question: How does Windows Hello for Business work with Microsoft Entra registered devices?
answer: |
- A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
+ A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
- For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
+ For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
- question: Does Windows Hello for Business work with non-Windows operating systems?
answer: |
- Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+ Windows Hello for Business is a feature of the Windows platform.
- question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients?
answer: |
No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services.
@@ -191,7 +166,7 @@ sections:
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
- The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
+ The trust models of your deployment determine how you authenticate to Active Directory. Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates:
- The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed)
- The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA
- question: What is convenience PIN?
@@ -202,7 +177,7 @@ sections:
No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
- question: What about virtual smart cards?
answer: |
- Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
+ Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business.
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
@@ -222,13 +197,13 @@ sections:
Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
- You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
+ You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](multifactor-unlock.md).
- name: Cloud Kerberos trust
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+ Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
@@ -242,7 +217,7 @@ sections:
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose.
+ Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.
@@ -254,4 +229,4 @@ sections:
In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle.
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+ Remote Desktop Protocol (RDP) doesn't support using key-based authentication as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
deleted file mode 100644
index 3d9b51898d..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Windows Hello and password changes
-description: Learn the impact of changing a password when using Windows Hello.
-ms.date: 03/15/2023
-ms.topic: concept-article
----
-# Windows Hello and password changes
-
-When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
-
-> [!Note]
-> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
-
-**Example 1**
-
-Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
-Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
-
-**Example 2**
-
-Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
-
->[!NOTE]
->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
-
-## How to update Hello after you change your password on another device
-
-1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
-1. Select **OK**
-1. Select **Sign-in options**
-1. Select **Password**
-1. Sign in with new password
-1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN.
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
deleted file mode 100644
index d80393b040..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Windows Hello biometrics in the enterprise
-description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.date: 01/12/2021
-ms.topic: concept-article
----
-
-# Windows Hello biometrics in the enterprise
-
-Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
-
->[!NOTE]
->When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
-
-## How does Windows Hello work?
-
-Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
-
-The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
-
-## Why should I let my employees use Windows Hello?
-
-Windows Hello provides many benefits, including:
-
-- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
-- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
-- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
-
-## Where is Windows Hello data stored?
-
-The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
-
-> [!NOTE]
->Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
-
-## Has Microsoft set any device requirements for Windows Hello?
-
-We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-
-- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
-
-- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
-
-### Fingerprint sensor requirements
-
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
-
-**Acceptable performance range for small to large size touch sensors**
-
-- False Accept Rate (FAR): <0.001 – 0.002%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-**Acceptable performance range for swipe sensors**
-
-- False Accept Rate (FAR): <0.002%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-### Facial recognition sensors
-
-To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-
-- False Accept Rate (FAR): <0.001%
-
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-> [!NOTE]
->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
-
-### Iris recognition sensor requirements
-
-To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
-
-## Related topics
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index b5c4e51668..a1df8320f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -4,12 +4,11 @@ description: This article is a troubleshooting guide for known Windows Hello for
ms.date: 06/02/2023
ms.topic: troubleshooting
---
+
# Windows Hello for Business known deployment issues
The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
-
-
## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error
PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
@@ -50,8 +49,6 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
-
-
## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
Applies to:
@@ -71,10 +68,10 @@ The issue can be identified using network traces or Kerberos logging from the cl
Log Name: Microsoft-Windows-Kerberos/Operational
Source: Microsoft-Windows-Security-Kerberos
Event ID: 107
-GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
+GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
Task Category: None
Level: Error
-Keywords:
+Keywords:
User: SYSTEM
Description:
@@ -137,7 +134,7 @@ Date:
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
-| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
## Errors with unknown mitigation
@@ -70,9 +70,9 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0X80072F0C | Unknown |
| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
| 0x80090010 | NTE_PERM |
-| 0x80090020 | NTE\_FAIL |
+| 0x80090020 | NTE_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
-| 0x8009002D | NTE\_INTERNAL\_ERROR |
+| 0x8009002D | NTE_INTERNAL_ERROR |
| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |
| 0x801C0006 | Unhandled exception from server. |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
deleted file mode 100644
index 3ed49353ea..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ /dev/null
@@ -1,412 +0,0 @@
----
-title: How Windows Hello for Business works - technology and terms
-description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
-ms.date: 10/08/2018
-ms.topic: glossary
----
-
-# Technology and terms
-
-## Attestation identity keys
-
-Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
-
-> [!NOTE]
-> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
-> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-
-Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
-
-Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
-
-In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
-
-### Related to attestation identity keys
-
-- [Endorsement key](#endorsement-key)
-- [Storage root key](#storage-root-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about attestation identity keys
-
-- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
-- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-
-
-## Microsoft Entra join
-
-Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources.
-
-
-
-### Related to Microsoft Entra join
-
-- [Join type](#join-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-
-
-### More information about Microsoft Entra join
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
-
-
-
-## Microsoft Entra registration
-
-The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device.
-
-
-
-### Related to Microsoft Entra registration
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Join type](#join-type)
-
-
-
-### More information about Microsoft Entra registration
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
-
-## Certificate trust
-
-The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
-
-### Related to certificate trust
-
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about certificate trust
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Cloud deployment
-
-The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices.
-
-### Related to cloud deployment
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Deployment type](#deployment-type)
-- [Join type](#join-type)
-
-## Cloud experience host
-
-In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
-
-### Related to cloud experience host
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [Managed Windows Hello in organization](hello-manage-in-organization.md)
-
-### More information on cloud experience host
-
-[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works)
-
-## Cloud Kerberos trust
-
-The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\
-With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI.
-
-Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
-
-### Related to cloud Kerberos trust
-
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about cloud Kerberos trust
-
-[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md)
-
-## Deployment type
-
-Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
-
-- Cloud
-- Hybrid
-- On-premises
-
-### Related to deployment type
-
-- [Cloud deployment](#cloud-deployment)
-- [Hybrid deployment](#hybrid-deployment)
-- [On-premises deployment](#on-premises-deployment)
-
-### More information about deployment type
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Endorsement key
-
-The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
-
-The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
-
-The endorsement key acts as an identity card for the TPM.
-
-The endorsement key is often accompanied by one or two digital certificates:
-
-- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-
-- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
-
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
-
-### Related to endorsement key
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Storage root key](#storage-root-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about endorsement key
-
-- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11))
-- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-## Federated environment
-
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID.
-
-### Related to federated environment
-
-- [Hybrid deployment](#hybrid-deployment)
-- [Managed environment](#managed-environment)
-- [Pass-through authentication](#pass-through-authentication)
-- [Password hash sync](#password-hash-sync)
-
-### More information about federated environment
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-
-
-## Microsoft Entra hybrid join
-
-For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
-
-- IT departments to manage work-owned devices from a central location.
-- Users to sign in to their devices with their Active Directory work or school accounts.
-
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
-
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID.
-
-
-
-### Related to Microsoft Entra hybrid join
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Hybrid deployment](#hybrid-deployment)
-
-
-
-### More information about Microsoft Entra hybrid join
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
-
-## Hybrid deployment
-
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
-
-### Related to hybrid deployment
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-### More information about hybrid deployment
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Join type
-
-Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined.
-
-Registering a device to Microsoft Entra ID enables you to manage a device's identity. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Microsoft Entra ID. You can use the identity to enable or disable a device.
-
-When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
-
-Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
-
-### Related to join type
-
-- [Microsoft Entra join](#azure-active-directory-join)
-- [Microsoft Entra registration](#azure-ad-registration)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-
-### More information about join type
-
-[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
-
-## Key trust
-
-The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
-
-### Related to key trust
-
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Certificate trust](#certificate-trust)
-- [Deployment type](#deployment-type)
-- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
-- [Hybrid deployment](#hybrid-deployment)
-- [On-premises deployment](#on-premises-deployment)
-- [Trust type](#trust-type)
-
-### More information about key trust
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Managed environment
-
-Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
-
-### Related to managed environment
-
-- [Federated environment](#federated-environment)
-- [Pass-through authentication](#pass-through-authentication)
-- [Password hash synchronization](#password-hash-sync)
-
-## On-premises deployment
-
-The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
-
-### Related to on-premises deployment
-
-- [Cloud deployment](#cloud-deployment)
-- [Deployment type](#deployment-type)
-- [Hybrid deployment](#hybrid-deployment)
-
-### More information about on-premises deployment
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Pass-through authentication
-
-Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
-
-### Related to pass-through authentication
-
-- [Federated environment](#federated-environment)
-- [Managed environment](#managed-environment)
-- [Password hash synchronization](#password-hash-sync)
-
-### More information about pass-through authentication
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-## Password hash sync
-
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
-
-### Related to password hash sync
-
-- [Federated environment](#federated-environment)
-- [Managed environment](#managed-environment)
-- [Pass-through authentication](#pass-through-authentication)
-
-### More information about password hash sync
-
-[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
-
-## Primary refresh token
-
-Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
-
-The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
-
-The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
-
-## Storage root key
-
-The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
-
-### Related to storage root key
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Endorsement key](#endorsement-key)
-- [Trusted platform module](#trusted-platform-module)
-
-### More information about storage root key
-
-[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-
-## Trust type
-
-The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
-
-### Related to trust type
-
-- [Cloud Kerberos trust](#cloud-kerberos-trust)
-- [Certificate trust](#certificate-trust)
-- [Hybrid deployment](#hybrid-deployment)
-- [Key trust](#key-trust)
-- [On-premises deployment](#on-premises-deployment)
-
-### More information about trust type
-
-[Windows Hello for Business planning guide](hello-planning-guide.md)
-
-## Trusted platform module
-
-A trusted platform module (TPM) is a hardware component that provides unique security features.
-
-Windows uses security characteristics of a TPM for the following functions:
-
-- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives
-- Protecting credentials
-- Health attestation
-
-A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other:
-
-- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
-- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
-
-Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
-
-TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
-
-- Update cryptography strength to meet modern security needs
- - Support for SHA-256 for PCRs
- - Support for HMAC command
-- Cryptographic algorithms flexibility to support government needs
- - TPM 1.2 is severely restricted in terms of what algorithms it can support
- - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
-- Consistency across implementations
- - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- - TPM 2.0 standardizes much of this behavior
-
-In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
-
-- An RSA 2048-bit key generator
-- A random number generator
-- Nonvolatile memory for storing EK, SRK, and AIK keys
-- A cryptographic engine to encrypt, decrypt, and sign
-- Volatile memory for storing the PCRs and RSA keys
-
-### Related to trusted platform module
-
-- [Attestation identity keys](#attestation-identity-keys)
-- [Endorsement key](#endorsement-key)
-- [Storage root key](#storage-root-key)
-
-### More information about trusted platform module
-
-[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
deleted file mode 100644
index d8f299c354..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: How Windows Hello for Business works
-description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
-ms.date: 05/05/2018
-ms.topic: overview
----
-# How Windows Hello for Business works in Windows Devices
-
-Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices.
-
-Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
-> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
-
-## Technical Deep Dive
-
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-
-### Device Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
-
-### Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
-
-> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
-
-For more information, read [how provisioning works](hello-how-it-works-provisioning.md).
-
-### Authentication
-
-With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
-
-> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-
-For more information read [how authentication works](hello-how-it-works-authentication.md).
-
-## Related topics
-
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Windows Hello for Business](deploy/requirements.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index ba06402421..1b1ad680bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -16,7 +16,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
Steps you'll perform include:
-- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect)
+- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect)
- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
@@ -49,8 +49,6 @@ If you need to deploy more than three types of certificates to the Microsoft Ent
All communication occurs securely over port 443.
-
-
## Prepare Microsoft Entra Connect
Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
@@ -59,8 +57,6 @@ Most environments change the user principal name suffix to match the organizatio
To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
-
-
### Verify Microsoft Entra Connect version
Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
@@ -287,8 +283,6 @@ Sign-in to the issuing certificate authority or management workstations with _Do
11. Select on the **Apply** to save changes and close the console.
-
-
### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 4a2846f9e6..f1666e6453 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -4,6 +4,7 @@ description: Learn how to configure single sign-on to on-premises resources for
ms.date: 12/30/2022
ms.topic: how-to
---
+
# Configure single sign-on for Microsoft Entra joined devices
[!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
@@ -65,7 +66,7 @@ Use this set of procedures to update the CA that issues domain controller certif
You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
> [!IMPORTANT]
-> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
+> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
### Install the web server
@@ -119,7 +120,7 @@ These procedures configure NTFS and share permissions on the web server to allow
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
-### Disable Caching
+### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**
1. Select **Caching**. Select **No files or programs from the shared folder are available offline**
@@ -190,7 +191,7 @@ Validate the new CRL distribution point is working.
#### Reissue domain controller certificates
-With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
1. Sign-in a domain controller using administrative credentials
1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer
@@ -217,8 +218,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
-
-
## Deploy the root CA certificate to Microsoft Entra joined devices
The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
deleted file mode 100644
index 896453d0bf..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: Manage Windows Hello in your organization
-description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
-ms.date: 9/25/2023
-ms.topic: reference
----
-
-# Manage Windows Hello for Business in your organization
-
-You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
-
->[!IMPORTANT]
->Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
->
->Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
-
-## Group Policy settings for Windows Hello for Business
-
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
-
-> [!NOTE]
-> The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.
- **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.
- **Disabled**: Device doesn't provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.
- **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
- **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.
- **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
- **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer|- Added in Windows 10, version 1703
- **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service
- **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset
- **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.
- For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN
- **Enabled**: Biometrics can be used as a gesture in place of a PIN.
- **Disabled**: Only a PIN can be used as a gesture.|
-
-### PIN Complexity
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.
- **Enabled**: Users must include a digit in their PIN.
- **Disabled**: Users can't use digits in their PIN.|
-|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN
- **Enabled**: Users must include at least one lowercase letter in their PIN.
- **Disabled**: Users can't use lowercase letters in their PIN.|
-|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.
- **Enabled**: PIN length must be less than or equal to the number you specify.
- **Disabled**: PIN length must be less than or equal to 127.|
-|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater than or equal to 4.
- **Enabled**: PIN length must be greater than or equal to the number you specify.
- **Disabled**: PIN length must be greater than or equal to 4.|
-|Expiration|Computer|- **Not configured**: PIN doesn't expire.
- **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
- **Disabled**: PIN doesn't expire.|
-|History|Computer|- **Not configured**: Previous PINs aren't stored.
- **Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
- **Disabled**: Previous PINs aren't stored.
**Note** Current PIN is included in PIN history.
-|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.
- **Enabled**: Windows requires the user to include at least one special character in their PIN.
- **Disabled**: Windows doesn't allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.
- **Enabled**: Users must include at least one uppercase letter in their PIN.
- **Disabled**: Users can't include an uppercase letter in their PIN.|
-
-### Phone Sign-in
-
-|Policy|Scope|Options|
-|--- |--- |--- |
-|Use Phone Sign-in|Computer|Not currently supported.|
-
-## MDM policy settings for Windows Hello for Business
-
-The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
-
->[!IMPORTANT]
->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.
- False: Users won't be able to provision Windows Hello for Business.
**Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
-|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.
- False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|ExcludeSecurityDevice
- TPM12|Device|False|Added in Windows 10, version 1703
- True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
- False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703
- True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
- False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-
-### Biometrics
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.
- False: Only a PIN can be used as a gesture for domain sign-in.|
-|- FacialFeaturesUser
- EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.
- True: Enhanced anti-spoofing is required on devices which support it.
- False: Users can't turn on enhanced anti-spoofing.|
-
-### PINComplexity
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|Digits |Device or user|1 |- 0: Digits are allowed.
- 1: At least one digit is required.
- 2: Digits aren't allowed.|
-|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed.
- 1: At least one lowercase letter is required.
- 2: Lowercase letters aren't allowed.|
-|Special characters|Device or user|2|- 0: Special characters are allowed.
- 1: At least one special character is required.
- 2: Special characters aren't allowed.|
-|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed.
- 1: At least one uppercase letter is required.
- 2: Uppercase letters aren't allowed.|
-|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
-|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
-|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
-
-### Remote
-
-|Policy|Scope|Default|Options|
-|--- |--- |--- |--- |
-|UseRemotePassport|Device or user|False|Not currently supported.|
-
->[!NOTE]
-> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
-
-## Policy conflicts from multiple policy sources
-
-Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
-
-> [!IMPORTANT]
-> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
-
-## Policy precedence
-
-Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
deleted file mode 100644
index 55a70b9a89..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ /dev/null
@@ -1,342 +0,0 @@
----
-title: Plan a Windows Hello for Business Deployment
-description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.date: 09/16/2020
-ms.topic: overview
----
-
-# Plan a Windows Hello for Business Deployment
-
-Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
-
-This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-
-> [!Note]
-> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
-
-## Using this guide
-
-There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
-
-This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
-
-### How to Proceed
-
-Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
-
-There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-
-- Deployment Options
-- Client
-- Management
-- Active Directory
-- Public Key Infrastructure
-- Cloud
-
-### Baseline Prerequisites
-
-Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
-
-### Deployment Options
-
-The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
-
-#### Deployment models
-
-There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
-
-##### Cloud only
-
-The cloud only deployment model is for organizations who only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in Azure.
-
-##### Hybrid
-
-The hybrid deployment model is for organizations that:
-
-- Are federated with Microsoft Entra ID
-- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect
-- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources
-
-> [!Important]
-> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
->
-> **Requirements:**
-> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
-##### On-premises
-The on-premises deployment model is for organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID.
-
-> [!Important]
-> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
->
-> **Requirements:**
-> - Reset from settings - Windows 10, version 1703, Professional
-> - Reset above lock screen - Windows 10, version 1709, Professional
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
-It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure.
-
-#### Trust types
-
-A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
-
-> [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md).
-
-The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-
-The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust doesn't require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
-
-> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
-
-#### Device registration
-
-All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
-
-#### Key registration
-
-The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
-
-#### Multifactor authentication
-
-> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
-
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a strong credential that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
-
-Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
-> [!NOTE]
-> Microsoft Entra multifactor authentication is available through:
-> * Microsoft Enterprise Agreement
-> * Open Volume License Program
-> * Cloud Solution Providers program
-> * Bundled with
-> * Microsoft Entra ID P1 or P2
-> * Enterprise Mobility Suite
-> * Enterprise Cloud Suite
-
-#### Directory synchronization
-
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
-
-### Management
-
-Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
-
-#### Group Policy
-
-Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices. Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users. Or, link the GPO directly to the organizational units.
-
-#### Modern management
-
-Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and nondomain joined devices. Organizations can unify their device management into one platform and apply policy settings using a single platform
-
-### Client
-
-Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
-
-Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update.
-
-
-### Active Directory
-
-Hybrid and on-premises deployments include Active Directory as part of their infrastructure. Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined. However, your trust type choice for authentication determines the version of domain controller needed for the deployment.
-
-### Public Key Infrastructure
-
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources.
-
-### Cloud
-
-Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities. These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
-
-## Planning a Deployment
-
-Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure.
-
-Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
-
-### Deployment Model
-
-Choose the deployment model based on the resources your users access. Use the following guidance to make your decision.
-
-If your organization doesn't have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
-
-If your organization is federated with Azure or uses any service, such as AD Connect, Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
-
-If your organization doesn't have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
-
->[!NOTE]
->
->- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests"
->- Migration from on-premise to hybrid deployment will require redeployment
-
-### Trust type
-
-Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
-
-Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
-
-One trust model isn't more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).
-
-Because the certificate trust types issues certificates, there's more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect.
-
-If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
-
-If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet.
-
-### Device Registration
-
-A successful Windows Hello for Business requires all devices to register with the identity provider. The identity provider depends on the deployment model.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet.
-
-### Key Registration
-
-All users provisioning Windows Hello for Business have their public key registered with the identity provider. The identity provider depends on the deployment model.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet.
-
-### Directory Synchronization
-
-Windows Hello for Business is strong user authentication, which usually means there's an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Microsoft Entra ID and there isn't another directory with which the information must be synchronized.
-
-If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network.
-
-### Multifactor authentication
-
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and can't be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
-
-If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service. Write **Azure MFA** in box **1f** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include:
-* Directly use Azure MFA cloud service
-* Use AD FS w/Azure MFA cloud service adapter
-* Use AD FS w/Azure MFA Server adapter
-* Use AD FS w/3rd Party MFA Adapter
-
-You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
-
-If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
-
-You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
-
-Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
-
-The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, then you have two-second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter.
-
-If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
-
-### Management
-
-Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage nondomain joined devices. If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**.
-
-> [!NOTE]
-> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
-
-If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
-
-Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and nondomain joined. All devices are registered, however, not all devices are domain joined. You have the option of using Group Policy for domain joined devices and modern management for nondomain joined devices. Or, you can use modern management for both domain and nondomain joined devices.
-
-If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage nondomain joined devices; otherwise, write **N/A**.
-
-If you use modern management for both domain and nondomain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
-
-### Client
-
-Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
-
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-> [!NOTE]
-> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
-
-Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true.
-* Box **2a** on your planning worksheet read **modern management**.
- * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**.
- Optionally, you may write **1511 or later* in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-
-Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true.
-* Box **1a** on your planning worksheet reads **on-premises**.
- Write **N/A** in box **3b** on your planning worksheet.
-* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**.
- * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices.
-
-### Active Directory
-
-The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type.
-
-Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
-
-### Public Key Infrastructure
-
-Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type.
-
-If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments don't use a public key infrastructure.
-
-If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
-
-The registration authority only relates to certificate trust deployments and the management used for domain and nondomain joined devices. Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
-
-If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances:
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | AD FS RA |
-| Web Server | AD FS RA |
-| Exchange Enrollment Agent | NDES |
-| Web Server | NDES |
-| CEP Encryption | NDES |
-
-If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | AD FS RA |
-| Web Server | AD FS RA |
-
-If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet.
-
-| Certificate Template Name | Issued To |
-| --- | --- |
-| Exchange Enrollment Agent | NDES |
-| Web Server | NDES |
-| CEP Encryption | NDES |
-
-### Cloud
-
-Nearly all deployments of Windows Hello for Business require an Azure account.
-
-If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments don't use the cloud directory.
-
-Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
-
-If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing).
-
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature.
-
-Modern managed devices don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
-
-If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**.
-
-## Congratulations, You're Done
-
-Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
deleted file mode 100644
index 52459fe655..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Prepare people to use Windows Hello
-description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.date: 08/19/2018
-ms.topic: end-user-help
----
-# Prepare people to use Windows Hello
-
-When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
-
-After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-
-Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
-
-People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
-
-[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
-
-## On devices owned by the organization
-
-When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
-
-
-Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
-
-
-They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
-
-After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
-
-## On personal devices
-
-People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
-
-People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
-
-## Using Windows Hello and biometrics
-
-If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png":::
-
-## Related topics
-
-- [Windows Hello for Business](deploy/requirements.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
deleted file mode 100644
index 24b362c125..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Windows Hello for Business Videos
-description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 09/07/2023
-ms.topic: get-started
----
-# Windows Hello for Business Videos
-## Overview of Windows Hello for Business and Features
-
-Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
-
-> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
-
-## Why PIN is more secure than a password
-
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
-
-> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
-
-## Microsoft's passwordless strategy
-
-Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
-
-> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
-
-## Windows Hello for Business Provisioning
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
-
-> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
-
-## Windows Hello for Business Authentication
-
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
-
-> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
deleted file mode 100644
index 6fe91595bc..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Why a PIN is better than an online password
-description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
-ms.date: 03/15/2023
-ms.topic: concept-article
----
-# Why a PIN is better than an online password
-
-Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
-
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
-
-> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
-
-## A PIN is tied to the device
-
-One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too.
-
-The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
-
-## PIN is local to the device
-
-An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server.
-When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server.
-Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
-
->[!NOTE]
->For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
-
-## PIN is backed by hardware
-
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords.
-
-User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
-
-The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
-
-## PIN can be complex
-
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
-
-## What if someone steals the device?
-
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
-You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
-
-### Configure BitLocker without TPM
-
-To enable BitLocker without TPM, follow these steps:
-
-1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
-1. In the policy option, select **Allow BitLocker without a compatible TPM > OK**
-1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption**
-1. Select the operating system drive to protect
-
-### Set account lockout threshold
-
-To configure account lockout threshold, follow these steps:
-
-1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
-1. Set the number of invalid logon attempts to allow, and then select OK
-
-## Why do you need a PIN to use biometrics?
-
-Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
-
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
similarity index 81%
rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
rename to windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
index af0ff0de5a..5bd47775ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@@ -1,7 +1,7 @@
---
title: How Windows Hello for Business authentication works
description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 05/24/2023
+ms.date: 01/03/2024
ms.topic: reference
---
# Windows Hello for Business authentication
@@ -10,11 +10,9 @@ Windows Hello for Business authentication is a passwordless, two-factor authenti
Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background.
-
-
## Microsoft Entra join authentication to Microsoft Entra ID
-
+:::image type="content" source="images/howitworks/auth/entra-join-entra.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Microsoft Entra ID." lightbox="images/howitworks/auth/entra-join-entra.png" border="false":::
> [!NOTE]
> All Microsoft Entra joined devices authenticate with Windows Hello for Business to Microsoft Entra ID the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
@@ -27,37 +25,31 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-
-
## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-ckt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/entra-join-ad-ckt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
-
-
## Microsoft Entra join authentication to Active Directory using a key
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-kt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/entra-join-ad-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
> [!NOTE]
> You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
-
-
## Microsoft Entra join authentication to Active Directory using a certificate
-
+:::image type="content" source="images/howitworks/auth/entra-join-ad-ct.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/entra-join-ad-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -68,11 +60,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
> [!NOTE]
> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
-
-
## Microsoft Entra hybrid join authentication using cloud Kerberos trust
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ckt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/hybrid-entra-join-ckt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -80,18 +70,16 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-
-
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Microsoft Entra hybrid join authentication using a key
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-kt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/hybrid-entra-join-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
@@ -101,11 +89,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
> [!IMPORTANT]
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
-
-
## Microsoft Entra hybrid join authentication using a certificate
-
+:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ct.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/hybrid-entra-join-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
similarity index 85%
rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
rename to windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
index b2e01e88dd..9c6ef249eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@@ -1,7 +1,7 @@
---
title: How Windows Hello for Business provisioning works
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
-ms.date: 12/12/2022
+ms.date: 01/03/2024
ms.topic: reference
appliesto:
---
@@ -14,23 +14,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
- The Windows Hello for Business deployment type
- If the environment is managed or federated
-List of provisioning flows:
-
-- [Microsoft Entra joined provisioning in a managed environment](#microsoft-entra-joined-provisioning-in-a-managed-environment)
-- [Microsoft Entra joined provisioning in a federated environment](#microsoft-entra-joined-provisioning-in-a-federated-environment)
-- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
-- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-- [Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment](#microsoft-entra-hybrid-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
-- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
-- [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
-
> [!NOTE]
> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
-## Microsoft Entra joined provisioning in a managed environment
+## Provisioning for Microsoft Entra joined devices with managed authentication
-
-[Full size image](images/howitworks/prov-aadj-managed.png)
+:::image type="content" source="images/howitworks/prov/entra-join-managed.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with managed authentication." lightbox="images/howitworks/prov/entra-join-managed.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -38,10 +27,9 @@ List of provisioning flows:
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. |
-## Microsoft Entra joined provisioning in a federated environment
+## Provisioning for Microsoft Entra joined devices with federated authentication
-
-[Full size image](images/howitworks/prov-aadj-federated.png)
+:::image type="content" source="images/howitworks/prov/entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with federated authentication." lightbox="images/howitworks/prov/entra-join-federated.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -49,10 +37,9 @@ List of provisioning flows:
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application, which signals the end of user provisioning and the application exits. |
-## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment
+## Provisioning in a cloud Kerberos trust deployment model with managed authentication
-
-[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-ckt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid cloud Kerberos trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-ckt.png" border="false":::
| Phase | Description |
|:-:|:-|
@@ -63,25 +50,23 @@ List of provisioning flows:
> [!NOTE]
> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential.
-## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment
+## Provisioning in a hybrid key trust deployment model with managed authentication
-
-[Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-managed-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid key trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-managed-kt.png" border="false":::
| Phase | Description |
|:-:|:-|
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service provides the second factor of authentication. If the user has performed Microsoft Entra multifactor authentication within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they aren't prompted for MFA because the current MFA remains valid.
Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. |
-| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
+| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's `msDS-KeyCredentialLink` attribute in Active Directory. |
> [!IMPORTANT]
> The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory.
-## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment
+## Provisioning in a hybrid certificate trust deployment model with federated authentication
-
-[Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+:::image type="content" source="images/howitworks/prov/hybrid-entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid certificate trust deployment model with federated authentication." lightbox="images/howitworks/prov/hybrid-entra-join-federated.png" border="false":::
| Phase | Description |
|:-|:-|
@@ -96,10 +81,9 @@ List of provisioning flows:
> [!IMPORTANT]
> Synchronous certificate enrollment doesn't depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
-## Domain joined provisioning in an On-premises Key Trust deployment
+## Provisioning in an on-premises key trust deployment model
-
-[Full size image](images/howitworks/prov-onprem-keytrust.png)
+:::image type="content" source="images/howitworks/prov/onprem-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises key trust deployment model." lightbox="images/howitworks/prov/onprem-kt.png" border="false":::
| Phase | Description |
| :----: | :----------- |
@@ -107,10 +91,9 @@ List of provisioning flows:
| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
-## Domain joined provisioning in an On-premises Certificate Trust deployment
+## Provisioning in an on-premises certificate trust deployment model
-
-[Full size image](images/howitworks/prov-onprem-certtrust.png)
+:::image type="content" source="images/howitworks/prov/onprem-ct.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises certificate trust deployment model." lightbox="images/howitworks/prov/onprem-ct.png" border="false":::
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
new file mode 100644
index 0000000000..87250d1fa9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -0,0 +1,236 @@
+---
+title: How Windows Hello for Business works
+description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
+ms.date: 01/09/2024
+ms.topic: concept-article
+---
+
+# How Windows Hello for Business works
+
+Windows Hello for Business is a distributed system that requires multiple technologies to work together. To simplify the explanation of how Windows Hello for Business works, let's break it down into five phases, which represent the chronological order of the deployment process.
+
+> [!NOTE]
+> Two of these phases are required only for certain deployment scenarios.
+>
+> The deployment scenarios are described in the article: [Plan a Windows Hello for Business deployment](deploy/index.md).
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/device-registration.png" alt-text="Icon representing the device registration phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Device registration phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, the device registers its identity with the identity provider (IdP), so that it can be associated and authenticate to the IdP.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/provision.png" alt-text="Icon representing the provisioning phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Provisioning phase
+ :::column-end:::
+:::row-end:::
+
+During this phase, the user authenticates using one form of authentication (typically, username/password) to request a new Windows Hello for Business credential. The provisioning flow requires a second factor of authentication before it can generate a public/private key pair. The public key is registered with the IdP, mapped to the user account.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/synchronization.png" alt-text="Icon representing the synchronization phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Key synchronization phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, **required by some hybrid deployments**, the user's public key is synchronized from Microsoft Entra ID to Active Directory.
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/certificate-enrollment.png" alt-text="Icon representing the certificate enrollment phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Certificate enrollment phase
+ :::column-end:::
+:::row-end:::
+
+In this phase, **required only by deployments using certificates**, a certificate is issued to the user using the organization's public key infrastructure (PKI).
+
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/howitworks/authentication.png" alt-text="Icon representing the authentication phase." border="false":::
+ :::column-end:::
+ :::column span="3":::
+ #### Authentication phase
+ :::column-end:::
+:::row-end:::
+
+In this last phase, the user can sign-in to Windows using biometrics or a PIN. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The IdP validates the user identity by mapping the user account to the public key registered during the provisioning phase.
+
+The following sections provide deeper insights into each of these phases.
+
+## Device Registration
+
+All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to be associated and to authenticate to an IdP:
+
+- For cloud and hybrid deployments, the identity provider is Microsoft Entra ID, and the device registers with the *Device Registration Service*
+- For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the *Enterprise Device Registration Service* hosted on AD FS
+
+When a device is registered, the IdP provides the device with an identity that is used to authenticate the device when a user signs-in.
+
+There are different registration types, which are identified as *join type*. For more information, see [What is a device identity][ENTRA-1].
+
+For detailed sequence diagrams, see [how device registration works][ENTRA-4].
+
+## Provisioning
+
+:::row:::
+ :::column:::
+ Windows Hello provisioning is triggered once device registration completes, and after the device receives a policy that enables Windows Hello. If all the prerequisites are met, a Cloud eXperience Host (CXH) window is launched to take the user through the provisioning flow.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="images/howitworks/cxh-provision.png" alt-text="Screenshot of the Cloud Experience Host prompting the user to provision Windows Hello." border="false" lightbox="images/howitworks/cxh-provision.png":::
+ :::column-end:::
+:::row-end:::
+
+> [!NOTE]
+> The list of prerequisites varies depending on the deployment type, as described in the article [Plan a Windows Hello for Business deployment](deploy/index.md).
+
+During the provisioning phase, a *Windows Hello container* is created. A Windows Hello container is a logical grouping of *key material*, or data. The container holds organization's credentials only on devices that are *registered* with the organization's IdP.
+
+> [!NOTE]
+> There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
+
+Here are the steps involved with the provisioning phase:
+
+1. In the CXH window, the user is prompted to authenticate to the IdP with MFA
+1. After successful MFA, the user must provide a bio gesture (if available), and a PIN
+1. After the PIN confirmation, the Windows Hello container is created
+1. A public/private key pair is generated. The key pair is bound to the Trusted Platform Module (TPM), if available, or in software
+1. The private key is stored locally and protected by the TPM, and can't be exported
+1. The public key is registered with the IdP, mapped to the user account
+ 1. The Device Registration Service writes the key to the user object in Microsoft Entra ID
+ 1. For on-premises scenarios, AD FS writes the key to Active Directory
+
+The following video shows the Windows Hello for Business enrollment steps after signing in with a password:
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
+
+For more information and detailed sequence diagrams, see [how provisioning works](how-it-works-provisioning.md).
+
+### Windows Hello container details
+
+:::row:::
+ :::column:::
+ During the provisioning phase, Windows Hello generates a new public/private key pair on the device. The TPM generates and protects the private key. If the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. The protector key is associated with a single gesture: if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures has a unique protector key.
+
+ The protector key securely wraps the *authentication key*. The authentication key is used to unlock the *user ID keys*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys.
+ :::column-end:::
+ :::column:::
+ :::image type="content" source="images/howitworks/hello-container.png" alt-text="Diagram of the Windows Hello container." border="false" lightbox="images/howitworks/hello-container.png":::
+ :::column-end:::
+:::row-end:::
+
+Each protector encrypts its own copy of the authentication key. How the encryption is performed is up to the protector itself. For example, the PIN protector performs a TPM seal operation using the PIN as entropy, or when no TPM is available, performs symmetric encryption of the authentication key using a key derived from the PIN itself.
+
+> [!IMPORTANT]
+> Keys can be generated in hardware (TPM 1.2 or 2.0) or software, based on the configured policy setting. To guarantee that keys are generated in hardware, you must configure a policy setting. For more information, see [Use a hardware security device](policy-settings.md#use-a-hardware-security-device).
+
+Personal (Microsoft account) and Work or School (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+
+Windows Hello also generates an *administrative key*. The administrative key can be used to reset credentials when necessary. For example, when using the [PIN reset service](pin-reset.md). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+Access to the key material stored in the container, is enabled only by the PIN or biometric gesture. The two-step verification that takes place during provisioning creates a trusted relationship between the IdP and the user. This happens when the public portion of the public/private key pair is sent to an identity provider and associated with the user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services.
+
+A container can contain several types of key material:
+
+- An *authentication key*, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key is generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key
+- One or multiple *user ID keys*. These keys can be either symmetric or asymmetric, depending on which IdP you use. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the user ID key or key pair can request access. User ID keys are used to sign or encrypt authentication requests or tokens sent from this device to the IdP. User ID keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IdP (which stores it for later verification), and securely stores the private key. For organizatrons, the user ID keys can be generated in two ways:
+ - The user ID key pair can be associated with an organization's Certificate Authority (CA). This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the organization to store other certificates in the protected container. For example, certificates that allows the user to authenticate via RDP
+ - The IdP can generate the user ID key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI
+
+User ID keys are used to authenticate the user to a service. For example, by signing a nonce to prove possession of the private key, which corresponds to a registered public key. Users with an Active Directory, Microsoft Entra ID or Microsoft account have a key associated with their account. The key can be used to sign into their Windows device by authenticating to a domain controller (Active Directory scenario), or to the cloud (Microsoft Entra ID and MSA scenarios).
+
+Windows Hello can also be used as a FIDO2 authenticator to authenticate to any website that supports WebAuthn. Websites or application can create a FIDO user ID key in the user's Windows Hello container using APIs. On subsequent visits, the user can authenticate to the website or app using their Windows Hello PIN or biometric gesture.
+
+To learn more how Windows uses the TPM in support of Windows Hello for Business, see [How Windows uses the Trusted Platform Module](../../hardware-security/tpm/how-windows-uses-the-tpm.md).
+
+### Biometric data storage
+
+The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Even if an attacker could obtain the biometric data from a device, it couldn't be converted back into a raw biometric sample recognizable by the biometric sensor.
+
+Each sensor has its own biometric database file where template data is stored (path `C:\WINDOWS\System32\WinBioDatabase`). Each database file has a unique, randomly generated key that is encrypted to the system. The template data for the sensor is encrypted with the per-database key using AES with CBC chaining mode. The hash is SHA256.
+
+> [!NOTE]
+>Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors store biometric data on the fingerprint module instead of in the database file. For more information, see [Windows Hello Enhanced Security Sign-in (ESS)][WINH-1].
+
+## Key synchronization
+
+Key synchronization is required in hybrid environments. After the user provisions a Windows Hello for Business credential, the key must synchronize from Microsoft Entra ID to Active Directory.
+
+The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object in Active Directory. The synchronization is handled by Microsoft Entra Connect Sync.
+
+## Certificate enrollment
+
+For certificate deployments, after registering the key, the client generates a certificate request. The request is sent to the Certificate Registration Authority (CRA). The CRA is on the Active Directory Federation Services (AD FS) server, which validates the certificate request and fulfills it using the enterprise PKI.
+
+A certificate is enrolled on the user's Hello container, which is used to authenticate to on-premises resources.
+
+## Authentication
+
+Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials, and the token that is obtained using those credentials, are bound to the device.
+
+Authentication is the two-factor authentication with the combination of:
+
+- A key, or certificate, tied to a device and
+ - something that the person knows (a PIN) or
+ - something that the person is (biometrics)
+
+PIN entry and biometric gesture both trigger Windows to use the private key to cryptographically sign data that is sent to the identity provider. The IdP verifies the user's identity and authenticates the user.
+
+The PIN or the private portion of the credentials is never sent to the IdP, and the PIN isn't stored on the device. The PIN and bio gestures are *user-provided entropy* when performing operations that use the private portion of the credential.
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever User ID keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IdP, requesting access to specified resources.
+
+> [!IMPORTANT]
+> Although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device.
+
+For more information and detailed sequence diagrams, see [how authentication works](how-it-works-authentication.md).
+
+### Primary refresh token
+
+Single sign-on (SSO) relies on special tokens obtained to access specific applications. In the traditional Windows Integrated authentication case using Kerberos, the token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a *primary refresh token* (PRT). It's a [JSON Web Token][WEB-1] that contains claims about both the user and the device.
+
+The PRT is initially obtained during sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon *Add Work or School Account*. For a personal device, the account to unlock the device isn't the work account, but a consumer account (*Microsoft account*).
+
+The PRT is needed for SSO. Without it, users would be prompted for credentials every time they access applications. The PRT also contains information about the device. If you have any [device-based conditional access][ENTRA-3] policies set on an application, without the PRT access is denied.
+
+> [!TIP]
+> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
+
+For more information, see [What is a Primary Refresh Token][ENTRA-2].
+
+### Windows Hello for Business and password changes
+
+Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> To accommodate the multitude of organizations needs and requirements, Windows Hello for Business offers different deployment options. To learn how to plan a Windows Hello for Business deployment, see:
+>
+> [Plan a Windows Hello for Business Deployment](deploy/index.md)
+
+
+
+[ENTRA-1]: /entra/identity/devices/overview
+[ENTRA-2]: /entra/identity/devices/concept-primary-refresh-token
+[ENTRA-3]: /entra/identity/conditional-access/concept-conditional-access-grant
+[ENTRA-4]: /entra/identity/devices/device-registration-how-it-works
+
+[WEB-1]: https://openid.net/specs/draft-jones-json-web-token-07.html
+[WINH-1]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
diff --git a/windows/security/identity-protection/hello-for-business/images/authflow.png b/windows/security/identity-protection/hello-for-business/images/authflow.png
deleted file mode 100644
index 1ddf18cc1f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/authflow.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/connect.png b/windows/security/identity-protection/hello-for-business/images/connect.png
deleted file mode 100644
index 2338eda8d2..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/connect.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/corpown.png b/windows/security/identity-protection/hello-for-business/images/corpown.png
deleted file mode 100644
index f87d33ce86..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/corpown.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/fingerprint.svg b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg
new file mode 100644
index 0000000000..e2b816716a
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/hello.svg b/windows/security/identity-protection/hello-for-business/images/hello.svg
new file mode 100644
index 0000000000..5601c82127
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/hello.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/hellosettings.png b/windows/security/identity-protection/hello-for-business/images/hellosettings.png
deleted file mode 100644
index 9b897a136e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hellosettings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png
deleted file mode 100644
index 344be6aa22..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png
deleted file mode 100644
index 751e2fbe99..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png
deleted file mode 100644
index 1fec70ce5a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png
deleted file mode 100644
index 095ebc3417..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png
deleted file mode 100644
index 905d36fa8f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png
deleted file mode 100644
index 0a803d8fbb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png
deleted file mode 100644
index 7f82cda5ae..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png
new file mode 100644
index 0000000000..ef60414e70
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png
new file mode 100644
index 0000000000..e45839808a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png
new file mode 100644
index 0000000000..213efe1241
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png
new file mode 100644
index 0000000000..584702dcd1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png
new file mode 100644
index 0000000000..2ee3ebd7ff
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png
new file mode 100644
index 0000000000..7e4cb22dcf
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png
new file mode 100644
index 0000000000..9f085f40e9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png b/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png
new file mode 100644
index 0000000000..4c36e92b32
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png b/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png
new file mode 100644
index 0000000000..5b491739be
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png b/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png
new file mode 100644
index 0000000000..28fe43819e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png b/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png
new file mode 100644
index 0000000000..f2efb0a732
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png b/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png
new file mode 100644
index 0000000000..2cd717e7f4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png
deleted file mode 100644
index dd7eee063e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png
deleted file mode 100644
index 3e67ac6b42..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png
deleted file mode 100644
index b2867c3aeb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png
deleted file mode 100644
index b7f4927730..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png
deleted file mode 100644
index 5bf7d96a34..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png
deleted file mode 100644
index 6afa492270..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png
deleted file mode 100644
index 3e051918ce..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png
new file mode 100644
index 0000000000..b1d934b030
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png
new file mode 100644
index 0000000000..8cba709a71
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png
new file mode 100644
index 0000000000..2c49786e91
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png
new file mode 100644
index 0000000000..9cbe229993
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png
new file mode 100644
index 0000000000..66b65155ee
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png
new file mode 100644
index 0000000000..9a19b71d78
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png
new file mode 100644
index 0000000000..8a01d2dc3e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png b/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png
new file mode 100644
index 0000000000..3c79cec610
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png b/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png
new file mode 100644
index 0000000000..2823638bc5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/iris.svg b/windows/security/identity-protection/hello-for-business/images/iris.svg
new file mode 100644
index 0000000000..871cac50d5
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/iris.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png
deleted file mode 100644
index 47823d76a8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png
deleted file mode 100644
index fd7afd80cb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png b/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
deleted file mode 100644
index d00836529a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
deleted file mode 100644
index 6b19520041..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
deleted file mode 100644
index 21329d0ffa..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
deleted file mode 100644
index 8552a3ee2f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
deleted file mode 100644
index fd9085fbd1..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
deleted file mode 100644
index 1ec0fe5a29..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
deleted file mode 100644
index 9731de1222..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
deleted file mode 100644
index 5935422718..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
deleted file mode 100644
index 9e3a5509a9..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
deleted file mode 100644
index 9b068a70a2..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
deleted file mode 100644
index b4e1575d05..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png
deleted file mode 100644
index 06a13b6f1a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
deleted file mode 100644
index dd8c09b2dd..0000000000
--- a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
+++ /dev/null
@@ -1,11 +0,0 @@
-
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png
deleted file mode 100644
index abb9b6456d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png
deleted file mode 100644
index 8913baa8ce..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png
deleted file mode 100644
index b0d03a6299..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pin.svg b/windows/security/identity-protection/hello-for-business/images/pin.svg
new file mode 100644
index 0000000000..a34b2fa5db
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/pin.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/images/pinerror.png b/windows/security/identity-protection/hello-for-business/images/pinerror.png
deleted file mode 100644
index 28a759f2fc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/pinerror.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/provisioning-error.png b/windows/security/identity-protection/hello-for-business/images/provisioning-error.png
new file mode 100644
index 0000000000..4f14752014
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/provisioning-error.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/smartcard.svg b/windows/security/identity-protection/hello-for-business/images/smartcard.svg
new file mode 100644
index 0000000000..c9d40368b5
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/smartcard.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md
new file mode 100644
index 0000000000..9157046e94
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Allow enumeration of emulated smart card for all users
+
+Windows prevents users on the same device from enumerating provisioned Windows Hello for Business credentials for other users. If you enable this policy setting, Windows allows all users of the device to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication. If you disable or don't configure this policy setting, Windows doesn't allow the enumeration of provisioned Windows Hello for Business credentials for other users on the same device.
+
+This policy setting is designed for a single user who enrolls *privileged* and *nonprivileged* accounts on a single device. The user owns both credentials, which enable them to sign-in using nonprivileged credentials, but can perform elevated tasks without signing-out. This policy setting is incompatible with Windows Hello for Business credentials provisioned when the *Turn off smart card emulation* policy setting is enabled.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md
new file mode 100644
index 0000000000..23a614db9d
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Configure device unlock factors
+
+Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.
+
+If you enable this policy setting, the user must use one factor from each list to successfully unlock. If you disable or don't configure this policy setting, users can continue to unlock with existing options.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/`[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+
+For more information, see [Multi-factor unlock](../multifactor-unlock.md).
diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md
new file mode 100644
index 0000000000..4cd7b376f1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Configure dynamic lock factors
+
+Configure a comma separated list of signal rules in the form of xml for each signal type.
+
+- If you enable this policy setting, the signal rules are evaluated to detect user absence and automatically lock the device
+- If you disable or don't configure the setting, users can continue to lock with existing options
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/DynamicLock/`[DynamicLock](/windows/client-management/mdm/passportforwork-csp#devicedynamiclock) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md
new file mode 100644
index 0000000000..057da41f74
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Configure enhanced anti-spoofing
+
+This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
+
+- If you enable this setting, Windows requires to use enhanced anti-spoofing for face authentication
+ > [!IMPORTANT]
+ > This disables face authentication on devices that don't support enhanced anti-spoofing.
+- If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for face authentication
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[FacialFeaturesUseEnhancedAntiSpoofing](/windows/client-management/mdm/passportforwork-csp#devicebiometricsfacialfeaturesuseenhancedantispoofing) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md
new file mode 100644
index 0000000000..d5308cbb87
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Enable ESS with supported peripherals
+
+Enhanced Sign-in Security (ESS) adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0.
+With ESS, Windows Hello biometric (face and fingerprint) template data and matching operations are isolated to trusted hardware or specified memory regions, and the rest of the operating system can't access or tamper with them. Since the channel of communication between the sensors and the algorithm is also secured, it's impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.
+
+If you enable this policy, you can configure the following values:
+
+- `0`: ESS is enabled with peripheral or built-in non-ESS sensors. Authentication operations of peripheral Windows Hello capable devices are allowed, subject to current feature limitations. ESS is enabled on devices with a mixture of biometric devices, such as an ESS-capable fingerprint reader and a non-ESS capable camera. Therefore, this setting is not recommended
+- `1`: ESS is enabled without peripheral or built-in non-ESS sensors. Authentication operations of any peripheral biometric device are blocked and not available for Windows Hello. This setting is recommended for highest security
+
+If you disable or not configure this setting, then non-ESS sensors are blocked on the ESS device.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[EnableESSwithSupportedPeripherals](/windows/client-management/mdm/passportforwork-csp#devicebiometricsenableesswithsupportedperipherals) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+
+For more information, see [How does Enhanced Sign-in Security protect biometric data](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#how-does-enhanced-sign-in-security-protect-biometric-data).
diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md
new file mode 100644
index 0000000000..6d5e71de6c
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Expiration
+
+This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0.
+
+The default value is 0.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**|
diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md
new file mode 100644
index 0000000000..f172d6e9f6
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/history.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### History
+
+This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enhances security by ensuring that old PINs are not reused continually. The value must be between 0 to 50 PINs. If this policy is set to 0, then storage of previous PINs is not required.
+
+The default value is 0.
+
+> [!NOTE]
+> PIN history is not preserved through PIN reset.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md
new file mode 100644
index 0000000000..9ab86cb5f7
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Maximum PIN length
+
+Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. If you configure this policy setting, the PIN length must be less than or equal to this number.
+
+If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
+
+> [!NOTE]
+> If the above specified conditions for the maximum PIN length aren't met, default values are used for both the maximum and minimum PIN lengths.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitymaximumpinlength)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitymaximumpinlength) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md
new file mode 100644
index 0000000000..ba9b806c2b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Minimum PIN length
+
+Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+
+If you configure this policy setting, the PIN length must be greater than or equal to this number.
+If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 6.
+
+> [!NOTE]
+> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityminimumpinlength)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityminimumpinlength)|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/require-digits.md b/windows/security/identity-protection/hello-for-business/includes/require-digits.md
new file mode 100644
index 0000000000..e2ca5a2621
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/require-digits.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Require digits
+
+Use this policy setting to configure the use of digits in the PIN:
+
+- If you enable this policy setting, Windows requires the user to include at least one digit in their PIN
+- If you disable this policy setting, Windows doesn't allow the user to include digits in their PINs
+- If you don't configure this policy setting, Windows allows, but doesn't require, digits in the PIN
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitydigits) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md
new file mode 100644
index 0000000000..b84ed743ee
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Require lowercase letters
+
+Use this policy setting to configure the use of lowercase letters in the PIN:
+
+- If you enable this policy setting, Windows requires the user to include at least one lowercase letter in their PIN
+- If you disable this policy setting, Windows doesn't allow the user to include lowercase letters in their PIN
+- If you don't configure this policy setting, Windows allows, but doesn't require, lowercase letters in the PIN
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitylowercaseletters) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md
new file mode 100644
index 0000000000..deeb7f56e4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Require special characters
+
+Scope: Machine
+
+Use this policy setting to configure the use of special characters in the PIN. Special characters include the following set:
+
+``` text
+! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
+```
+
+- If you enable this policy setting, Windows requires the user to include at least one special character in their PIN
+- If you disable this policy setting, Windows doesn't allow the user to include special characters in their PIN
+- If you don't configure this policy setting, Windows allows, but doesn't require, special characters in the PIN
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityspecialcharacters)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityspecialcharacters) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md
new file mode 100644
index 0000000000..b90cda9fa3
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md
@@ -0,0 +1,19 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Require uppercase letters
+
+Use this policy setting to configure the use of uppercase letters in the PIN:
+
+- If you enable this policy setting, Windows requires the user to include at least one uppercase letter in their PIN
+- If you disable this policy setting, Windows doesn't allow the user to include uppercase letters in their PIN
+- If you don't configure this policy setting, Windows allows, but doesn't require, uppercase letters in the PIN
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityuppercaseletters)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityuppercaseletters) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md
new file mode 100644
index 0000000000..502e1d18f1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Turn off smart card emulation
+
+Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications.
+
+- If you enable this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications
+- If you disable or don't configure this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applications
+
+> [!IMPORTANT]
+> This policy affects Windows Hello for Business credentials at the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing credential, enable this policy setting and select *I forgot my PIN* from Settings.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md
new file mode 100644
index 0000000000..3dfb45f8ba
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use a hardware security device
+
+A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it can't be used on other devices.
+
+- If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude TPM revision 1.2 modules, which prevents Windows Hello for Business provisioning on those devices
+ > [!TIP]
+ > The TPM 1.2 specification only allows the use of RSA and the SHA-1 hashing algorithm. TPM 1.2 implementations vary in policy settings, which may result in support issues as lockout policies vary. It's recommended to exclude TPM 1.2 devices from Windows Hello for Business provisioning.
+-If you disable or don't configure this policy setting, the TPM is still preferred, but all devices can provision Windows Hello for Business using software if the TPM is nonfunctional or unavailable.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[RequireSecurityDevice](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesrequiresecuritydevice)
`./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/`[TPM12](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesexcludesecuritydevicestpm12) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md
new file mode 100644
index 0000000000..761017763f
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use biometrics
+
+Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures.
+
+- If you enable or don't configure this policy setting, Windows Hello for Business allows the use biometric gestures
+- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures
+
+> [!NOTE]
+> Disabling this policy prevents the user of biometric gestures on the device for all account types.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[UseBiometrics](/windows/client-management/mdm/passportforwork-csp#devicebiometricsusebiometrics) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md
new file mode 100644
index 0000000000..78c1064fbe
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use certificate for on-premises authentication
+
+Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication.
+
+- If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication
+- If you disable or don't configure this policy setting, Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCertificateForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecertificateforonpremauth)|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
**User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**|
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md
new file mode 100644
index 0000000000..77b3878741
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use cloud trust for on-premises authentication
+
+Use this policy setting to configure Windows Hello for Business to use the cloud Kerberos trust model.
+
+- If you enable this policy setting, Windows Hello for Business uses a Kerberos ticket retrieved from authenticating to Microsoft Entra ID for on-premises authentication
+- If you disable or don't configure this policy setting, Windows Hello for Business uses a key or certificate (depending on other policy settings) for on-premises authentication
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCloudTrustForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecloudtrustforonpremauth) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+
+> [!NOTE]
+> Cloud Kerberos trust is incompatible with certificate trust. If the certificate trust policy setting is enabled, it takes precedence over this policy setting.
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
new file mode 100644
index 0000000000..8f28f8f8d1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use PIN recovery
+
+PIN Recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service, without losing any associated credentials or certificates, including any keys associated with the user's personal accounts on the device.
+
+To achieve this, the PIN recovery service encrypts a recovery secret, which is stored on the device, and requires both the PIN recovery service and the device to decrypt.
+
+PIN recovery requires the user to perform multi-factor authentication to Microsoft Entra ID.
+
+- If you enable this policy setting, Windows Hello for Business uses the PIN recovery service
+- If you disable or don't configure this policy setting, Windows doesn't create or store the PIN recovery secret. If the user forgets their PIN, they must delete their existing PIN and create a new one, and they must re-register with any services to which the old PIN provided access
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesenablepinrecovery)
`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciesenablepinrecovery) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+
+For more information, see [PIN reset](../pin-reset.md).
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md
new file mode 100644
index 0000000000..2d3b0707f3
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use Windows Hello for Business certificates as smart card certificates
+
+This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+
+- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key
+- If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key
+
+This policy setting is incompatible with Windows Hello for Business credentials provisioned when [Turn off smart card emulation](../policy-settings.md#turn-off-smart-card-emulation) is enabled.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusehellocertificatesassmartcardcertificates) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
new file mode 100644
index 0000000000..9278bcd9ef
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
@@ -0,0 +1,32 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 01/03/2024
+ms.topic: include
+---
+
+### Use Windows Hello for Business
+
+- If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users
+- If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user
+- If you don't configure this policy setting, users can provision Windows Hello for Business
+
+Select the option *Don't start Windows Hello provisioning after sign-in* when you use a third-party solution to provision Windows Hello for Business:
+
+- If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
+- If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in
+
+:::row:::
+:::column span="1":::
+:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
+:::column-end:::
+:::column span="3":::
+> [!IMPORTANT]
+>This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/).
+:::column-end:::
+:::row-end:::
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork)
`./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
**User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**|
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index e0be2b5b93..7c03078ac9 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -1,112 +1,106 @@
---
-title: Windows Hello for Business Overview
+title: Windows Hello for Business overview
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
ms.topic: overview
-ms.date: 04/24/2023
+ms.date: 01/03/2024
---
-# Windows Hello for Business Overview
-Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
+# Windows Hello for Business
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+## Overview
-Windows Hello addresses the following problems with passwords:
+*Windows Hello* is an authentication technology that allows users to sign in to their Windows devices using biometric data, or a PIN, instead of a traditional password. It provides enhanced security through phish-resistant two-factor authentication, and built-in brute force protection. With FIDO/WebAuthn, Windows Hello can also be used to sign in to supported websites, reducing the need to remember multiple complex passwords.
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)).
-- Users can inadvertently expose their passwords due to phishing attacks.
+*Windows Hello for Business* is an **extension** of Windows Hello that provides enterprise-grade security and management capabilities, including device attestation, certificate-based authentication, and conditional access policies. Policy settings can be deployed to devices to ensure they're secure and compliant with organizational requirements.
-Windows Hello lets users authenticate to:
+The following table lists the main authentication and security differences between Windows Hello and Windows Hello for business:
-- A Microsoft account.
-- An Active Directory account.
-- A Microsoft Entra account.
-- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.
+||Windows Hello for Business|Windows Hello|
+|-|-|-|
+|**Authentication**|Users can authenticate to:
- A Microsoft Entra ID account
- An Active Directory account
- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|Users can authenticate to:
- A Microsoft account
- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|
+|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.
Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration is referred to as *Windows Hello convenience PIN*, and it's not backed by asymmetric (public/private key) or certificate-based authentication.|
-After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+> [!NOTE]
+> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
-As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+## Benefits
+
+Windows Hello for Business provides many benefits, including:
+
+- It helps to strengthen protections against credential theft. An attacker must have both the device and the biometric or PIN, making it much more difficult to gain access without the user's knowledge
+- Since no passwords are used, it circumvents phishing and brute force attacks. Most importantly, it prevents server breaches and replay attacks because the credentials are asymmetric and generated within isolated environments of TPMs
+- Users get a simple and convenient authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. The use of a PIN doesn't compromise security, since Windows Hello has built-in brute force protection, and the PIN never leaves the device
+- You can add biometric devices as part of a coordinated rollout or to specific users, as needed
+
+The following video shows a demonstration of Windows Hello for Business in action, where a user signs in with a fingerprint:
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=fb5ceb53-d82b-4997-bde1-d473b620038a]
+
+## Windows Hello and two factor authentication
+
+Windows Hello for Business uses a two-factor authentication method that combines a device-specific credential with a biometric or PIN gesture. This credential is tied to your identity provider, such as Microsoft Entra ID or Active Directory, and can be used to access organization apps, websites, and services.
+
+After an initial two-step verification of the user during provisioning, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, and a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+
+Windows Hello for Business is considered two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the *something you know* authentication factor with the *something that is part of you* factor, with the assurances that users can fall back to the *something you know factor*.
## Biometric sign-in
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras and fingerprint readers.
-- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
-- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards.
-- **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices.
+On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials:
-Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
+- **Facial recognition**: this type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors offer external cameras that incorporate this technology, and many laptop manufacturers incorporate it into their devices
+- **Fingerprint recognition**: this type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Most existing fingerprint readers work with Windows, whether they're external or integrated into laptops or USB keyboards
+- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner
-## The difference between Windows Hello and Windows Hello for Business
-
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication.
-
-- *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*.
-
-## Benefits of Windows Hello
-
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they're entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
-
-In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services.
-
-> [!NOTE]
-> Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
-
-:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png":::
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data.
[!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)]
-## How Windows Hello for Business works: key points
+> [!NOTE]
+> Windows Hello for Business doesn't work with [Microsoft Entra Domain Services](/entra/identity/domain-services/overview).
-- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+## Hardware requirements
-- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account.
+Microsoft collaborates with manufacturers to help ensuring a high-level of performance and protection is met by each sensor and device, based on the following requirements:
-- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
+- **False Accept Rate (FAR):** represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100,000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important regarding the security of the biometric algorithm
+- **False Reject Rate (FRR):** represents the instances a biometric identification solution fails to verify an authorized person correctly. Represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection
-- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
+### Fingerprint sensor requirements
-- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+To allow fingerprint matching, devices must have fingerprint sensors and software. Fingerprint sensors can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures.
-- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
+Acceptable performance range for small to large size touch sensors:
-- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- False Accept Rate (FAR): <0.001 - 0.002%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+Acceptable performance range for swipe sensors:
-For details, see [How Windows Hello for Business works](hello-how-it-works.md).
+- False Accept Rate (FAR): <0.002%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-## Comparing key-based and certificate-based authentication
+### Facial recognition sensors
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Microsoft Entra ID as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
+To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md).
+- False Accept Rate (FAR): <0.001%
+- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-## Learn more
+> [!NOTE]
+>Windows Hello face authentication doesn't support wearing a mask during enrollment or authentication. If your working environment doesn't allow you to remove a mask temporarily, consider using PIN or fingerprint.
-[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business)
+### Iris recognition sensor requirements
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft)
+To use Iris authentication, you need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
-[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources.
+For more information about the hardware requirements for Windows Hello, see [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements).
-[Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication)
+## Next steps
-## Related articles
-
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+> [!div class="nextstepaction"]
+>
+> [Learn how Windows Hello for Business works >](how-it-works.md)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
similarity index 82%
rename from windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
rename to windows/security/identity-protection/hello-for-business/multifactor-unlock.md
index a99c25dc3c..2662652a30 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
@@ -1,9 +1,10 @@
---
title: Multi-factor unlock
-description: Learn how Windows offers multi-factor device unlock by extending Windows Hello with trusted signals.
-ms.date: 03/30/2023
+description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
+ms.date: 01/03/2024
ms.topic: how-to
---
+
# Multi-factor unlock
Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
@@ -331,35 +332,66 @@ The following example configures **Wi-Fi** as a trusted signal.
```
-## Deploy Multifactor Unlock
+## Configure multi-factor unlock
->[!IMPORTANT]
->You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
+To configure multi-factor unlock you can use:
-### Create the Multifactor Unlock Group Policy object
-
-The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
+- Microsoft Intune/CSP
+- Group policy
>[!IMPORTANT]
>
> - PIN **must** be in at least one of the groups
> - Trusted signals **must** be combined with another credential provider
-> - You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both
-> - The multifactor unlock feature is also supported via the Passport for Work CSP. For more information, see [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp).
+> - You can't use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in bothcategories, it means it can satisfy either category, but not both
-1. Start the **Group Policy Management Console** (`gpmc.msc`).
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-1. Right-click **Group Policy object** and select **New**.
-1. Type *Multifactor Unlock* in the name box and select **OK**.
-1. In the content pane, right-click the **Multifactor Unlock** Group Policy object and select **Edit**.
-1. In the navigation pane, expand **Policies** under **Computer Configuration**.
-1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- 
-1. In the content pane, open **Configure device unlock factors**. Select **Enable**. The **Options** section populates the policy setting with default values.
- 
-1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors).
-1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
-1. Select **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name |
+|--|--|
+| **Administrative Templates** > **Windows Hello for Business** | Device Unlock Plugins |
+
+1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors)
+1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider)
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1].
+
+| Setting |
+|--------|
+| ./Device/Vendor/MSFT/PassportForWork/[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock)|
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | Configure device unlock factors | Enabled |
+
+1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors)
+1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider)
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+---
+
+>[!IMPORTANT]
+>You should remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
+
+## User experience
+
+Here's a brief video showing the user experience when multi-factor unlock is enabled:
+
+1. The user first signs in with fingerprint + Bluetooth-paired phone
+1. The user then signs in with fingerprint + PIN
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=2bdf21db-30c9-4d8e-99ff-f3ae72c494fe alt-text="Video showing the user experience of multi-factor unlock using fingerprint+Bluetooth and fingerprint+PIN."]
## Troubleshoot
@@ -374,3 +406,8 @@ Multi-factor unlock writes events to event log under **Application and Services
|6520|Warning event|
|7520|Error event|
|8520|Success event|
+
+
+
+[CSP-1]: /windows/client-management/mdm/passportforwork-csp
+[INT-1]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
deleted file mode 100644
index fd387134b6..0000000000
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ /dev/null
@@ -1,338 +0,0 @@
----
-title: Password-less strategy
-description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
-ms.topic: conceptual
-ms.date: 05/24/2022
----
-
-# Password-less strategy
-
-This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy.
-
-## Four steps to password freedom
-
-Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
-
-:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
-
-### 1. Develop a password replacement offering
-
-Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.
-
-Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
-
-### 2. Reduce user-visible password surface area
-
-With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
-
-### 3. Transition into a password-less deployment
-
-Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where:
-
-- The users never type their password.
-- The users never change their password.
-- The users don't know their password.
-
-In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
-
-### 4. Eliminate passwords from the identity directory
-
-The final step of the password-less story is where passwords simply don't exist. At this step, identity directories no longer persist any form of the password. This stage is where Microsoft achieves the long-term security promise of a truly password-less environment.
-
-## Methodology
-
-Four steps to password freedom provide an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a password-less environment, but can easily become overwhelmed by any of the steps. You aren't alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here's one recommendation based on several years of research, investigation, and customer conversations.
-
-### Prepare for the journey
-
-The road to being password-less is a journey. The duration of that journey varies for each organization. It's important for IT decision-makers to understand the criteria influencing the length of that journey.
-
-The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the following components:
-
-- Number of departments
-- Organization or department hierarchy
-- Number and type of applications and services
-- Number of work personas
-- Organization's IT structure
-
-#### Number of departments
-
-The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and others such as research and development or support. Small organizations may not explicitly segment their departments, while larger ones may. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well.
-
-You need to know all the departments within your organization and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you've assessed that it's not applicable.
-
-Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy.
-
-#### Organization or department hierarchy
-
-Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.
-
-#### Number and type of applications and services
-
-Most organizations have many applications and rarely do they have one centralized list that's accurate. Applications and services are the most critical items in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
-
-Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications.
-
-#### Number of work personas
-
-Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona.
-
-A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you'll have many work personas. These work personas will become units of work, and you'll refer to them in documentation and in meetings. You need to give them a name.
-
-Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
-
-Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software.
-
-#### Organization's IT structure
-
-IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there's a password-less stakeholder on each of these teams, and that the effort is understood and funded.
-
-#### Assess your organization
-
-You have a ton of information. You've created your work personas, you've identified your stakeholders throughout the different IT groups. Now what?
-
-By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces may exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity.
-
-How long does it take to become password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that a password-less environment is the organization's goal makes conversations much easier. Easier conversations mean less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they've agreed on the strategy). Those resources will:
-
-- Work through the work personas.
-- Organize and deploy user acceptance testing.
-- Evaluate user acceptance testing results for user visible password surfaces.
-- Work with stakeholders to create solutions that mitigate user visible password surfaces.
-- Add the solution to the project backlog and prioritize against other projects.
-- Deploy the solution.
-- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface.
-- Repeat the testing as needed.
-
-Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it's likely that to go password-less tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a password-less state.
-
-### Where to start?
-
-What's the best guidance for kicking off the journey to password freedom? You'll want to show your management a proof of concept as soon as possible. Ideally, you want to show it at each step of your password-less journey. Keeping your password-less strategy top of mind and showing consistent progress keeps everyone focused.
-
-#### Work persona
-
-You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you'll enable so that you can climb the steps to password freedom.
-
-> [!IMPORTANT]
-> Avoid using any work personas from your IT department. This method is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
-
-Review your collection of work personas. Early in your password-less journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept or pilot.
-
-Most organizations host their proof of concept in a test lab or environment. If you do that test with a password-free strategy, it may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona.
-
-You'll want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline.
-
-## The process
-
-The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this:
-
-1. Password-less replacement offering (step 1)
- 1. Identify test users representing the targeted work persona.
- 2. Deploy Windows Hello for Business to test users.
- 3. Validate that passwords and Windows Hello for Business work.
-2. Reduce user-visible password surface (step 2)
- 1. Survey test user workflow for password usage.
- 2. Identify password usage and plan, develop, and deploy password mitigations.
- 3. Repeat until all user password usage is mitigated.
- 4. Remove password capabilities from Windows.
- 5. Validate that **none of the workflows** need passwords.
-3. Transition into a password-less scenario (step 3)
- 1. Awareness campaign and user education.
- 2. Include remaining users who fit the work persona.
- 3. Validate that **none of the users** of the work personas need passwords.
- 4. Configure user accounts to disallow password authentication.
-
-After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
-
-### Password-less replacement offering (step 1)
-
-The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Microsoft Entra ID and Active Directory.
-
-#### Identify test users that represent the targeted work persona
-
-A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
-
-#### Deploy Windows Hello for Business to test users
-
-Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](index.md) to deploy Windows Hello for Business.
-
-With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
-
-> [!NOTE]
-> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Microsoft Entra ID. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
-
-#### Validate that passwords and Windows Hello for Business work
-
-In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
-
-### Reduce user-visible password surface (step 2)
-
-Before you move to step 2, make sure you've:
-
-- Selected your targeted work persona.
-- Identified your test users who represent the targeted work persona.
-- Deployed Windows Hello for Business to test users.
-- Validated passwords and Windows Hello for Business both work for the test users.
-
-#### Survey test user workflow for password usage
-
-Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2.
-
-Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
-
-- What's the name of the application that asked for a password?
-- Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?
-- What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."
-- How frequently do you use this application in a given day or week?
-- Is the password you type into the application the same as the password you use to sign-in to Windows?
-
-Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being password-less.
-
-#### Identify password usage and plan, develop, and deploy password mitigations
-
-Your test users have provided you valuable information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password.
-
-Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it's policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
-
-Keep in mind your test users won't uncover all scenarios. Some scenarios you'll need to force on your users because they're low percentage scenarios. Remember to include the following scenarios:
-
-- Provisioning a new brand new user without a password.
-- Users who forget the PIN or other remediation flows when the strong credential is unusable.
-
-Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice will certainly vary by organization.
-
-Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
-
-Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
-
-The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
-
-Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
-
-#### Repeat until all user password usage is mitigated
-
-Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you've closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance.
-
-#### Remove password capabilities from Windows
-
-You believe you've mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password.
-
-Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
-
-##### Security policy
-
-You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-
-:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
-
-**Windows Server 2016 and earlier**
-The policy name for these operating systems is **Interactive logon: Require smart card**.
-
-:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
-
-**Windows 10, version 1703 or later using Remote Server Administrator Tools**
-The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-
-:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
-
-When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
-
-#### Excluding the password credential provider
-
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
-
-:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
-
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
-
-:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
-
-Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
-
-#### Validate that none of the workflows needs passwords
-
-This stage is the significant moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users won't be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well.
-
-### Transition into a password-less deployment (step 3)
-
-Congratulations! You're ready to transition one or more portions of your organization to a password-less deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
-
-#### Awareness and user education
-
-In this last step, you're going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this step, you want to invest in an awareness campaign.
-
-An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
-
-#### Including remaining users that fit the work persona
-
-You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being password-less. Add the remaining users that match the targeted work persona to your deployment.
-
-#### Validate that none of the users of the work personas needs passwords
-
-You've successfully transitioned all users for the targeted work persona to being password-less. Monitor the users within the work persona to ensure they don't encounter any issues while working in a password-less environment.
-
-Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
-
-- Is the reporting user performing a task outside the work persona?
-- Is the reported issue affecting the entire work persona, or only specific users?
-- Is the outage a result of a misconfiguration?
-- Is the outage an overlooked gap from step 2?
-
-Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
-
-Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming password-less. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
-
-#### Configure user accounts to disallow password authentication
-
-You transitioned all the users for the targeted work persona to a password-less environment and you've successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
-
-You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object.
-
-The account options on a user account include the option **Smart card is required for interactive logon**, also known as SCRIL.
-
-> [!NOTE]
-> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
-
-The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
-
-:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
-
-When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
-
-- They don't know their password.
-- Their password is 128 random bits of data and is likely to include non-typable characters.
-- The user isn't asked to change their password.
-- Domain controllers don't allow passwords for interactive authentication.
-
-The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
-
-:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
-
-> [!NOTE]
-> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
->
-> 1. Disable the setting.
-> 1. Save changes.
-> 1. Enable the setting.
-> 1. Save changes again.
->
-> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
-
-The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
-
-:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
-
-> [!TIP]
-> Windows Hello for Business was formerly known as Microsoft Passport.
-
-##### Automatic password change for SCRIL configured users
-
-Domains configured for Windows Server 2016 or later domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
-
-In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
-
-:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
-
-> [!NOTE]
-> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md
index 1b06da1cd6..85a33cf10c 100644
--- a/windows/security/identity-protection/hello-for-business/pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/pin-reset.md
@@ -1,7 +1,7 @@
---
title: PIN reset
description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
-ms.date: 12/12/2023
+ms.date: 01/03/2024
ms.topic: how-to
---
@@ -38,8 +38,6 @@ The following table compares destructive and nondestructive PIN reset:
|**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
-
-
## Enable the Microsoft PIN Reset Service in your Microsoft Entra tenant
Before you can use nondestructive PIN reset, you must register two applications in your Microsoft Entra tenant:
@@ -176,8 +174,6 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
+----------------------------------------------------------------------+
```
-
-
## Configure allowed URLs for federated identity providers on Microsoft Entra joined devices
**Applies to:** Microsoft Entra joined devices
diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md
new file mode 100644
index 0000000000..050b2a862d
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@@ -0,0 +1,86 @@
+---
+title: Windows Hello for Business policy settings
+description: Learn about the policy settings to configure Configure Windows Hello for Business.
+ms.topic: reference
+ms.date: 01/03/2024
+---
+
+# Windows Hello for Business policy settings
+
+This reference article provides a comprehensive list of policy settings for Windows Hello for Business. The list of settings is sorted alphabetically and organized in four categories:
+
+- **Feature settings**: used to enable Windows Hello for Business and configure basic options
+- **PIN setting**: used to configure PIN authentication, like PIN complexity and recovery
+- **Biometric setting**: used to configure biometric authentication
+- **Smart card settings**: used to configure smart card authentication used in conjunction with Windows Hello for Business
+
+For information about how to configure these settings, see [Configure Windows Hello for Business](configure.md).
+
+Select one of the tabs to see the list of available settings:
+
+# [:::image type="icon" source="images/hello.svg"::: **Feature settings**](#tab/feature)
+
+|Setting Name|CSP|GPO|
+|-|-|-|
+|[Configure device unlock factors](#configure-device-unlock-factors)|✅|✅|
+|[Configure dynamic lock factors](#configure-dynamic-lock-factors)|✅|✅|
+|[Use a hardware security device](#use-a-hardware-security-device)|✅|✅|
+|[Use certificate for on-premises authentication](#use-certificate-for-on-premises-authentication)|✅|✅|
+|[Use cloud (Kerberos) trust for on-premises authentication](#use-cloud-trust-for-on-premises-authentication)|✅|✅|
+|[Use Windows Hello for Business](#use-windows-hello-for-business)|✅|✅|
+
+[!INCLUDE [configure-device-unlock-factors](includes/configure-device-unlock-factors.md)]
+[!INCLUDE [configure-dynamic-lock-factors](includes/configure-dynamic-lock-factors.md)]
+[!INCLUDE [use-a-hardware-security-device](includes/use-a-hardware-security-device.md)]
+[!INCLUDE [use-certificate-for-on-premises-authentication](includes/use-certificate-for-on-premises-authentication.md)]
+[!INCLUDE [use-cloud-trust-for-on-premises-authentication](includes/use-cloud-trust-for-on-premises-authentication.md)]
+[!INCLUDE [use-windows-hello-for-business](includes/use-windows-hello-for-business.md)]
+
+# [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin)
+
+|Setting Name|CSP|GPO|
+|-|-|-|-|
+|[Expiration](#expiration)|✅|✅|
+|[History](#history)|✅|✅|
+|[Maximum PIN length](#maximum-pin-length)|✅|✅|
+|[Minimum PIN length](#minimum-pin-length)|✅|✅|
+|[Require digits](#require-digits)|✅|✅|
+|[Require lowercase letters](#require-lowercase-letters)|✅|✅|
+|[Require special characters](#require-special-characters)|✅|✅|
+|[Require uppercase letters](#require-uppercase-letters)|✅|✅|
+|[Use PIN recovery](#use-pin-recovery)|✅|✅|
+
+[!INCLUDE [expiration](includes/expiration.md)]
+[!INCLUDE [history](includes/history.md)]
+[!INCLUDE [maximum-pin-length](includes/maximum-pin-length.md)]
+[!INCLUDE [minimum-pin-length](includes/minimum-pin-length.md)]
+[!INCLUDE [require-digits](includes/require-digits.md)]
+[!INCLUDE [require-lowercase-letters](includes/require-lowercase-letters.md)]
+[!INCLUDE [require-special-characters](includes/require-special-characters.md)]
+[!INCLUDE [require-uppercase-letters](includes/require-uppercase-letters.md)]
+[!INCLUDE [use-pin-recovery](includes/use-pin-recovery.md)]
+
+# [:::image type="icon" source="images/fingerprint.svg"::: **Biometric settings**](#tab/bio)
+
+|Setting Name|CSP|GPO|
+|-|-|-|
+|[Configure enhanced anti-spoofing](#configure-enhanced-anti-spoofing)|✅|✅|
+|[Enable ESS with Supported Peripherals](#enable-ess-with-supported-peripherals)|✅|✅|
+|[Use biometrics](#use-biometrics)|✅|✅|
+
+[!INCLUDE [configure-enhanced-anti-spoofing](includes/configure-enhanced-anti-spoofing.md)]
+[!INCLUDE [enable-ess-with-supported-peripherals](includes/enable-ess-with-supported-peripherals.md)]
+[!INCLUDE [use-biometrics](includes/use-biometrics.md)]
+
+# [:::image type="icon" source="images/smartcard.svg"::: **Smart card settings**](#tab/smartcard)
+
+|Setting Name|CSP|GPO|
+|-|-|-|
+|[Turn off smart card emulation](#turn-off-smart-card-emulation)|❌|✅|
+|[Allow enumeration of emulated smart card for all users](#allow-enumeration-of-emulated-smart-card-for-all-users)|❌|✅|
+|[Use Windows Hello for Business certificates as smart card certificates](#use-windows-hello-for-business-certificates-as-smart-card-certificates)|✅|✅|
+
+[!INCLUDE [allow-enumeration-of-emulated-smart-card-for-all-users](includes/allow-enumeration-of-emulated-smart-card-for-all-users.md)]
+[!INCLUDE [turn-off-smart-card-emulation](includes/turn-off-smart-card-emulation.md)]
+[!INCLUDE [use-windows-hello-for-business-certificates-as-smart-card-certificates](includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md)]
+---
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index f3b6b984fe..6a84e6ea32 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -271,16 +271,7 @@ Here's a brief video showing the user experience from a Microsoft Entra joined d
While users appreciate the convenience of biometrics, and administrators value the security, you might experience compatibility issues with applications and Windows Hello for Business certificates. In such scenarios, you can deploy a policy setting to revert to the previous behavior for the users needing it.
-### Use Windows Hello for Business certificates as smart card certificates
-
-If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
-If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates. Biometric factors are available when a user is asked to authorize the use of the certificate's private key.
-
-| | Path |
-|--|--|
-| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates][WIN-1]|
-| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** |
+For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 61aa6291c3..d328574c69 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -1,40 +1,31 @@
items:
- name: Overview
href: index.md
-- name: Concepts
- expanded: true
+- name: How Windows Hello for Business works
items:
- - name: Why a PIN is better than a password
- href: hello-why-pin-is-better-than-password.md
- - name: Windows Hello biometrics in the enterprise
- href: hello-biometrics-in-enterprise.md
- - name: How Windows Hello for Business works
- href: hello-how-it-works.md
-- name: Plan a Windows Hello for Business deployment
- href: hello-planning-guide.md
+ - name: Core concepts
+ href: how-it-works.md
+ - name: How device registration works 🔗
+ href: /entra/identity/devices/device-registration-how-it-works
+ - name: How provisioning works
+ href: how-it-works-provisioning.md
+ - name: How authentication works
+ href: how-it-works-authentication.md
+- name: Configure Windows Hello for Business
+ href: configure.md
- name: Deployment guides
href: deploy/toc.yml
-- name: How-to Guides
+- name: How-to-guides
items:
- - name: Prepare people to use Windows Hello
- href: hello-prepare-people-to-use.md
- - name: Manage Windows Hello for Business in your organization
- href: hello-manage-in-organization.md
- - name: Windows Hello and password changes
- href: hello-and-password-changes.md
-- name: Windows Hello for Business features
- items:
- - name: PIN reset
+ - name: Configure PIN reset
href: pin-reset.md
- - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
- href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- - name: Dual enrollment
+ - name: Configure dual enrollment
href: hello-feature-dual-enrollment.md
- - name: Dynamic Lock
+ - name: Configure dynamic lock
href: hello-feature-dynamic-lock.md
- - name: Multi-factor Unlock
- href: feature-multifactor-unlock.md
- - name: Remote desktop (RDP) sign-in
+ - name: Configure multi-factor unlock
+ href: multifactor-unlock.md
+ - name: Configure remote desktop (RDP) sign-in
href: rdp-sign-in.md
- name: Troubleshooting
items:
@@ -44,16 +35,11 @@ items:
href: hello-errors-during-pin-creation.md
- name: Reference
items:
- - name: How Windows Hello for Business provisioning works
- href: hello-how-it-works-provisioning.md
- - name: How Windows Hello for Business authentication works
- href: hello-how-it-works-authentication.md
+ - name: Windows Hello for Business policy settings
+ href: policy-settings.md
- name: WebAuthn APIs
href: webauthn-apis.md
- - name: Technology and terminology
- href: hello-how-it-works-technology.md
+ - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
+ href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
- name: Frequently Asked Questions (FAQ)
- href: hello-faq.yml
- - name: Windows Hello for Business videos
- href: hello-videos.md
-
+ href: faq.yml
diff --git a/windows/security/identity-protection/images/security-stages.png b/windows/security/identity-protection/images/security-stages.png
deleted file mode 100644
index 249ced9d4b..0000000000
Binary files a/windows/security/identity-protection/images/security-stages.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/passwordless-strategy/images/lock-screen.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png
rename to windows/security/identity-protection/passwordless-strategy/images/lock-screen.png
diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png
new file mode 100644
index 0000000000..9e6208dc50
Binary files /dev/null and b/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png differ
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg
new file mode 100644
index 0000000000..e94f7a1297
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg
@@ -0,0 +1,28 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg
new file mode 100644
index 0000000000..e2aa74f089
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg
@@ -0,0 +1,26 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg
new file mode 100644
index 0000000000..add20cb602
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg
@@ -0,0 +1,28 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg
new file mode 100644
index 0000000000..688724e117
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg
@@ -0,0 +1,26 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg
new file mode 100644
index 0000000000..6faecafc75
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg
@@ -0,0 +1,28 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg
new file mode 100644
index 0000000000..b5cfd72d86
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg
@@ -0,0 +1,26 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg
new file mode 100644
index 0000000000..4507a878b5
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg
@@ -0,0 +1,28 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg
new file mode 100644
index 0000000000..2eeee15393
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg
@@ -0,0 +1,26 @@
+
diff --git a/windows/security/identity-protection/passwordless-strategy/index.md b/windows/security/identity-protection/passwordless-strategy/index.md
new file mode 100644
index 0000000000..b0887dd2fd
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/index.md
@@ -0,0 +1,153 @@
+---
+title: Passwordless strategy overview
+description: Learn about the passwordless strategy and how Windows security features help implementing it.
+ms.topic: concept-article
+ms.date: 01/29/2024
+---
+
+# Passwordless strategy overview
+
+This article describes Microsoft's passwordless strategy and how Windows security features help implementing it.
+
+## Four steps to password freedom
+
+Microsoft is working hard to create a world where passwords are no longer needed. This is how Microsoft envisions the four steps approach to end the era of passwords for the organizations:
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-1-on.svg" border="false":::
+ :::column-end:::
+ :::column span="3":::
+ ### Deploy a password replacement option
+ :::column-end:::
+:::row-end:::
+
+Before you move away from passwords, you need something to replace them. Windows Hello for Business and FIDO2 security keys offer a strong, hardware-protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.\
+Deploy Windows Hello for Business or FIDO2 security keys is the first step toward a passwordless environment. Users are likely to use these features because of their convenience, especially when combined with biometrics. However, some workflows and applications might still need passwords. This early stage is about implementing an alternative solution to passwords, and getting users accustomed to it.
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-2-on.svg" border="false":::
+ :::column-end:::
+ :::column span="3":::
+ ### Reduce user-visible password surface area
+ :::column-end:::
+:::row-end:::
+
+With a password replacement option and passwords coexisting in the environment, the next step is to reduce the password surface area. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, **but they never use it**. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. **Password prompts are no longer the norm**.
+
+
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-3-on.svg" border="false":::
+ :::column-end:::
+ :::column span="3":::
+ ### Transition into a passwordless deployment
+ :::column-end:::
+:::row-end:::
+
+Once the user-visible password surface is eliminated, your organization can begin to transition users into a passwordless environment. In this stage, users never type, change, or even know their password.\
+The user signs in to Windows using Windows Hello for Business or FIDO2 security keys, and enjoys single sign-on to Microsoft Entra ID and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business or FIDO2 security keys.
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-4-on.svg" border="false":::
+ :::column-end:::
+ :::column span="3":::
+ ### Eliminate passwords from the identity directory
+ :::column-end:::
+:::row-end:::
+
+The final step of the passwordless journey is where passwords don't exist. At this stage, identity directories don't store any form of the password.
+
+## Prepare for the passwordless journey
+
+The road to being passwordless is a journey. The duration of the journey varies for each organization. It's important for IT decision makers to understand the criteria influencing the length of that journey.
+
+The most intuitive answer is the size of the organization, but what exactly defines size? We can look at these factors to get a summary of the organization's size:
+
+| Size factor | Details |
+|--|--|
+| **Number of departments**|The number of departments within an organization varies. Most organizations have a common set of departments such as *executive leadership*, *human resources*, *accounting*, *sales*, and *marketing*. Small organizations might not explicitly segment their departments, while larger ones might. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well.
You need to know all the departments within your organization, and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and that it's not applicable.
Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes passwordless, but your partners continue to use passwords to access your corporate resources, you should know about it and include them in your passwordless strategy.|
+| **Organization or department hierarchy**|Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.|
+| **Number and type of applications and services**|Most organizations have many applications and rarely have one centralized list that's accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You also want to document whether the application is internally developed or commercially available off-the-shelf. If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications.|
+| **Number of work personas**|Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona.
A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you have many work personas. These work personas will become units of work, and you refer to them in documentation and in meetings. You need to give them a name.
Give your personas easy and intuitive names like *Amanda - Accounting*, *Mark - Marketing*, or *Sue - Sales*. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, *Amanda* could be the first name of an individual contributor in any given department, while the first name *Sue* could represent someone from middle management in any given department. Additionally, you can use suffixes (such as *I*, *II*, *Senior*, etc.) to further define departmental structure for a given persona.
Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software.|
+| **Organization's IT structure**|IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the *client authentication* team, the *deployment* team, the *security* team, the *PKI* team, the *identity* team, the *cloud* team, etc. Most of these teams are your partner on your journey to password freedom. Ensure there's a passwordless stakeholder on each of these teams, and that the effort is understood and funded.|
+
+## Assess your organization
+
+By now you can understand why this is a journey and not a quick task. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces might exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity.
+
+The time to complete the passwordless journey varies, depending on the organizational alignment to a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations easier. Easier conversations mean less time spent convincing people and more time spent moving toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will:
+
+- Work through the work personas
+- Organize and deploy user acceptance testing
+- Evaluate user acceptance testing results for user visible password surfaces
+- Work with stakeholders to create solutions that mitigate user visible password surfaces
+- Add the solution to the project backlog and prioritize against other projects
+- Deploy the solution
+- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface
+- Repeat the testing as needed
+
+Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it's likely that to go passwordless tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a passwordless state.
+
+What's the best guidance for kicking off the journey to password freedom? **You want to show your management a proof of concept as soon as possible**. Ideally, you want to show it at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused.
+
+## Work persona
+
+You begin with your work personas. These were part of your preparation process. They have a persona name, such as *Amanda - Accounting II*, or any other naming convention your organization defined. That work persona includes a list of all the applications *Amanda* uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you enable to complete the journey.
+
+> [!TIP]
+> Avoid using any work personas from your IT department. This method is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
+
+Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept (POC) or pilot.
+
+Most organizations host their POC in a test lab or environment. If you do that test with a password-free strategy, it might be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona.
+
+You want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it might be advantageous to your timeline.
+
+The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this:
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+**[Deploy a passwordless replacement option](journey-step-1.md)**
+- Identify test users representing the targeted work persona
+- Deploy Windows Hello for Business to test users
+- Validate that passwords and Windows Hello for Business work
+ :::column-end:::
+ :::column span="1":::
+**[Reduce user-visible password surface](journey-step-2.md)**
+- Survey test user workflow for password usage
+- Identify password usage and plan, develop, and deploy password mitigations
+- Repeat until all user password usage is mitigated
+- Remove password capabilities from Windows
+- Validate that **none of the workflows** need passwords
+ :::column-end:::
+ :::column span="1":::
+**[Transition into a passwordless scenario](journey-step-3.md)**
+- Awareness campaign and user education
+- Include remaining users who fit the work persona
+- Validate that **none of the users** of the work personas need passwords
+- Configure user accounts to prevent password authentication
+ :::column-end:::
+:::row-end:::
+
+After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+>
+> [Step 1: deploy a passwordless replacement option >](journey-step-1.md)
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-1.md b/windows/security/identity-protection/passwordless-strategy/journey-step-1.md
new file mode 100644
index 0000000000..0708d80254
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-1.md
@@ -0,0 +1,61 @@
+---
+title: Deploy a passwordless replacement option
+description: Learn about how to deploy a passwordless replacement option, the first step of the Microsoft passwordless journey.
+ms.topic: concept-article
+ms.date: 01/29/2024
+---
+
+# Deploy a passwordless replacement option
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-4-off.svg" border="false":::
+ :::column-end:::
+:::row-end:::
+
+The first step to password freedom is providing an alternative to passwords.\
+Windows provides an affordable and easy in-box alternative to passwords, *Windows Hello for Business*. Another option is to use *FIDO2 security keys*, but they require the organization to purchase and distribute them.
+
+Both options provide a strong, two-factor authentication to Microsoft Entra ID and Active Directory.
+
+## Identify test users representing the targeted work persona
+
+A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you might want to change a few of the users (or add a few) as part of your validation process.
+
+## Deploy Windows Hello for Business or FIDO2 security keys to test users
+
+Next, you want to plan your password replacement deployment. Your test users need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business planning guide](..\hello-for-business\deploy\index.md) to help learning which deployment is best suited for your environment. Next, use one of the deployment guides to deploy Windows Hello for Business. With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You use the first work persona to validate your Windows Hello for Business deployment.
+
+If you decide to use FIDO2 security keys, follow the [Enable security key sign-in to Windows guide](/entra/identity/authentication/howto-authentication-passwordless-security-key-windows) to learn how to adopt FIDO2 security keys.
+
+> [!NOTE]
+> Deployments vary based on how the device is joined to Microsoft Entra ID. Review the planning guide to learn the type of infrastructure required to support your devices.
+
+## Validate passwords and Windows Hello for Business or FIDO2 security keys
+
+In this first step, passwords and your password replacement choice must coexist. You want to validate all scenarios while the targeted work personas can sign in and unlock using Windows Hello or security keys. Users can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
+
+:::image type="content" source="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers." border="false":::
+
+## Next steps
+
+> [!div class="checklist"]
+> Before you move to step 2, make sure you've:
+>
+> - Selected your targeted work persona
+> - Identified your test users who represent the targeted work persona
+> - Deployed Windows Hello for Business or FIDO2 security keys to test users
+> - Validated that both your password replacement choice and passwords work for the test users
+
+> [!div class="nextstepaction"]
+>
+> [Step 2: reduce the user-visible password surface area >](journey-step-2.md)
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-2.md b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md
new file mode 100644
index 0000000000..4d8d3b920a
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md
@@ -0,0 +1,105 @@
+---
+title: Reduce the user-visible password surface area
+description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
+ms.topic: concept-article
+ms.date: 01/29/2024
+---
+
+# Reduce the user-visible password surface area
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-4-off.svg" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Survey test user workflow for password usage
+
+Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
+
+| | Question |
+|--|--|
+| **🔲** | *What's the name of the application that asked for a password?* |
+| **🔲** | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* |
+| **🔲** | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* |
+| **🔲** | *How frequently do you use the application in a given day or week?* |
+| **🔲** | *Is the password you type into the application the same as the password you use to sign-in to Windows?* |
+
+Some organizations empower their users to write this information, while some might insist on having a member of the IT department shadow them. An objective viewer might notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
+
+## Identify password usage and plan, develop, and deploy password mitigations
+
+Your test users provided you valuable with information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password.\
+Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is asked to provide a password. Include relevant, but accurate details. If the scenario is policy or procedure-driven, then include the name and section of the policy that dictates why the workflow uses a password.
+
+Your test users won't uncover all scenarios, therefore you must force on them some uncommon scenarios. Remember to include the following:
+
+- Provision a new user with an unknown password
+- Users who forget the PIN or other remediation flows when the strong credential is unusable
+
+Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice varies by organization.
+
+Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details are likely included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
+
+Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
+
+The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Microsoft Entra identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
+
+Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with third-party software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
+
+## Repeat until all user password usage is mitigated
+
+Some or all of your mitigations are in place. You need to validate that your solutions solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace or add a few. Survey test users workflow for password usage. If all goes well, you closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance.
+
+## Remove password capabilities from Windows
+
+You believe you mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password.\
+Windows offers three main options to reduce or eliminate the password surface area:
+
+- Windows passwordless experience
+- Exclude the password credential provider
+- Require Windows Hello for Business or a smart card
+
+### Windows passwordless experience
+
+*Windows Passwordless experience* is a security policy that hides the password credential provider for user accounts that sign in with Windows Hello or a FIDO2 security key. Windows Passwordless experience is the recommended option, but it's only available on Microsoft Entra joined devices. The following image shows the Windows lock screen when Windows passwordless experience is enabled. A user enrolled in Windows Hello for Business doesn't have the option to use a password to sign in:
+
+:::image type="content" source="images/passwordless-experience.png" alt-text="Screenshot of the Windows lock screen with passwordless experience enabled." border="false":::
+
+To learn more, see [Windows passwordless experience](../passwordless-experience/index.md)
+
+### Exclude the password credential provider
+
+The *Exclude credential providers* policy setting can be used to disable the password credential provider. When configured, Windows disables the possibility to use passwords for *all accounts*, including local accounts. It also prevents the use of passwords for RDP and *Run as* authentication scenarios. This policy setting might impact support scenarios, such as when a user needs to sign in with a local account to troubleshoot a problem. For this reason, carefully evaluate all scenarios before you enable the setting.
+
+- GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Exclude credential providers**
+- CSP: `./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders)
+
+The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
+
+### Require Windows Hello for Business or a smart card
+
+The *Require Windows Hello for Business or a smart card* policy setting can be used to require Windows Hello for Business or a smart card for interactive logon. When enabled, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. Before you enable this policy setting, the user must be enrolled in Windows Hello for Business or have a smart card. Therefore, implementing this policy requires careful planning and coordination.
+
+- GPO: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Interactive logon: Require Windows Hello for Business or smart card**
+- CSP: not available
+
+## Validate that none of the workflows needs passwords
+
+This stage is the significant moment. You identified password usage, developed solutions to mitigate password usage, and removed or disabled password usage from Windows. In this configuration, your users can't use a password. Users are blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
+>
+> [Step 3: transition into a passwordless deployment >](journey-step-3.md)
diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
new file mode 100644
index 0000000000..b50cd4f910
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md
@@ -0,0 +1,144 @@
+---
+title: Transition into a passwordless deployment
+description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
+ms.topic: concept-article
+ms.date: 01/29/2024
+---
+
+# Transition into a passwordless deployment
+
+:::row:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="icon" source="images/step-4-off.svg" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Awareness and user education
+
+In this last step, you're going to include the remaining users that fit the targeted work persona to the passwordless deployment. Before you do this step, you want to invest in an awareness campaign.
+
+An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
+
+> [!TIP]
+> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails).
+
+## Include remaining users that fit the work persona
+
+You implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
+
+## Validate that none of the users of the work personas need passwords
+
+You successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they don't encounter any issues while working in a passwordless environment.
+
+Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
+
+| | Question |
+|--|--|
+| **🔲** | *Is the reporting user performing a task outside the work persona?* |
+| **🔲** | *Is the reported issue affecting the entire work persona, or only specific users?* |
+| **🔲** | *Is the outage a result of a misconfiguration?* |
+| **🔲** | *Is the outage an overlooked gap from step 2?* |
+
+Each organization's priority and severity differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
+
+Resolve the issues per your service level agreements. Higher severity items might require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2, and progress forward to a solution, deploying that solution and validating it.
+
+> [!TIP]
+> Monitor your domain controllers for password authentication events. This helps to proactively identify users who are still using passwords, and to reach out to them.
+
+## Configure user accounts to prevent password authentication
+
+You transitioned all the users for the targeted work persona to a passwordless environment and validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password.
+
+### Password scrambling
+
+While you can't completely remove the password from the user's account, you can prevent the user from using the password to authenticate. The easiest and most effective approach is to set the password to a random value. This approach prevents the user from knowing the password and using it to authenticate, but it allows the user to reset the password whenever needed.
+
+> [!TIP]
+> Enable [Microsoft Entra self-service password reset (SSPR)](/entra/identity/authentication/tutorial-enable-sspr) to allow the users to reset their password. Once implemented, users can sign in to their Windows devices using Windows Hello for Business or a FIDO2 security key, and reset their password from https://aka.ms/sspr. Combine it with [password writeback](/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback) to have the password reset synchronized to your on-premises Active Directory.
+
+The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId against Microsoft Entra ID.
+Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords.
+
+```azurepowershell-interactive
+$userId = "
- **Data type:** string
- **Value:** `
- **Data type:** string
- **Value:** `
Possible values for `RestrictedRemoteAdministrationDrop` are:
- `0`: Disabled
- `1`: Require Restricted Admin
- `2`: Require Remote Credential Guard
- `3`: Restrict credential delegation |
-#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
@@ -181,7 +181,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
-#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+#### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
Not documented.
@@ -224,5 +224,4 @@ Here are some considerations for Remote Credential Guard:
[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp
[INT-3]: /mem/intune/configuration/settings-catalog
[LEARN-1]: /windows-server/identity/laps/laps-overview
-[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx
[PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 26eafa1368..9d0a3a0397 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -4,7 +4,7 @@ items:
- name: Passwordless sign-in
items:
- name: Passwordless strategy
- href: hello-for-business/passwordless-strategy.md
+ href: passwordless-strategy/toc.yml
- name: Windows Hello for Business
href: hello-for-business/toc.yml
- name: Windows presence sensing
@@ -28,8 +28,8 @@ items:
href: /education/windows/federated-sign-in
- name: Advanced credential protection
items:
- - name: Windows LAPS (Local Administrator Password Solution) 🔗
- displayName: LAPS
+ - name: Windows LAPS 🔗
+ displayName: Local Administrator Password Solution
href: /windows-server/identity/laps/laps-overview
- name: Account Lockout Policy 🔗
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
diff --git a/windows/security/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg
index ace95add6b..c9cb511415 100644
--- a/windows/security/images/icons/group-policy.svg
+++ b/windows/security/images/icons/group-policy.svg
@@ -1,3 +1,9 @@
-
\ No newline at end of file
+
diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg
new file mode 100644
index 0000000000..bc4aa2f534
--- /dev/null
+++ b/windows/security/images/icons/registry.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/images/insider.png b/windows/security/images/insider.png
index dbe00408cb..dc227a95bd 100644
Binary files a/windows/security/images/insider.png and b/windows/security/images/insider.png differ
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 99c0f44731..8f543bcde6 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -8,6 +8,7 @@ metadata:
ms.topic: hub-page
ms.collection:
- tier1
+ - essentials-navigation
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index 92105b512d..dd2492a6b9 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -4,6 +4,9 @@ description: System security book.
ms.date: 09/01/2023
ms.topic: tutorial
ms.author: paoloma
+ms.collection:
+ - essentials-security
+ - essentials-overview
content_well_notification:
- AI-contribution
author: paolomatarazzo
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png
deleted file mode 100644
index f158bc4c67..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg
new file mode 100644
index 0000000000..27acdfd665
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
index f81e6c585f..f0745f7122 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -46,7 +46,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The Network Unlock process follows these phases:
:::row:::
- :::column span="3":::
+ :::column span="2":::
1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration
2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address
3. The client computer broadcasts a vendor-specific DHCP request that contains a network key (a 256-bit intermediate key) and an AES-256 session key for the reply. The network key is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server
@@ -57,8 +57,8 @@ The Network Unlock process follows these phases:
8. This combined key is used to create an AES-256 key that unlocks the volume
9. Windows continues the boot sequence
:::column-end:::
- :::column span="1":::
- :::image type="content" source="images/network-unlock-diagram.png" alt-text="Diagram of the Network Unlock sequence." lightbox="images/network-unlock-diagram.png" border="false":::
+ :::column span="2":::
+ :::image type="content" source="images/network-unlock-diagram.svg" alt-text="Diagram of the Network Unlock sequence." lightbox="images/network-unlock-diagram.svg" border="false":::
:::column-end:::
:::row-end:::
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
index 380ac306c4..1eaff6b4ec 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -230,7 +230,7 @@ Add the desired protectors prior to encrypting the volume. The following example
```powershell
$pw = Read-Host -AsSecureString
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections` |
| *Public* | Setting name: [LogMaxFileSize][CSP-13]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize` |
-# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
index ace95add6b..95957a5914 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
@@ -1,3 +1,9 @@
-
\ No newline at end of file
+
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index c40a04c723..7ad2200658 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -26,10 +26,6 @@
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
href: whats-new-windows-10-version-21H2.md
- - name: What's new in Windows 10, version 21H1
- href: whats-new-windows-10-version-21H1.md
- - name: What's new in Windows 10, version 20H2
- href: whats-new-windows-10-version-20H2.md
- name: Windows commercial licensing overview
href: windows-licensing.md
- name: Deprecated and removed Windows features
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 6b07079c0f..31d2f8b2ba 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -2,8 +2,8 @@
title: Resources for deprecated features in the Windows client
description: Resources and details for deprecated features in the Windows client.
ms.date: 10/09/2023
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
author: mestew
ms.author: mstewart
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index bdf7f70696..6a3a4809db 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -2,8 +2,8 @@
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 01/26/2024
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
author: mestew
ms.author: mstewart
@@ -81,7 +81,6 @@ The features in this article are no longer being actively developed, and might b
| XDDM-based remote display driver | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
-| Windows To Go | Windows To Go is no longer being developed.
The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
index 01fdfd6394..de53336b4b 100644
--- a/windows/whats-new/extended-security-updates.md
+++ b/windows/whats-new/extended-security-updates.md
@@ -1,8 +1,8 @@
---
title: Extended Security Updates (ESU) program for Windows 10
description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10.
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.author: mstewart
author: mestew
manager: aaroncz
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index 0c963dd3b4..9c928556e8 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -1,13 +1,13 @@
---
title: Windows client features lifecycle
description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: mestew
manager: aaroncz
ms.author: mstewart
ms.topic: conceptual
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/15/2023
ms.collection:
- highpri
diff --git a/windows/whats-new/images/1_AppBrowser.png b/windows/whats-new/images/1_AppBrowser.png
deleted file mode 100644
index 6e1f32e389..0000000000
Binary files a/windows/whats-new/images/1_AppBrowser.png and /dev/null differ
diff --git a/windows/whats-new/images/2_InstallWDAG.png b/windows/whats-new/images/2_InstallWDAG.png
deleted file mode 100644
index e45f714a35..0000000000
Binary files a/windows/whats-new/images/2_InstallWDAG.png and /dev/null differ
diff --git a/windows/whats-new/images/3_ChangeSettings.png b/windows/whats-new/images/3_ChangeSettings.png
deleted file mode 100644
index 968eb0c3c0..0000000000
Binary files a/windows/whats-new/images/3_ChangeSettings.png and /dev/null differ
diff --git a/windows/whats-new/images/4_ViewSettings.jpg b/windows/whats-new/images/4_ViewSettings.jpg
deleted file mode 100644
index 72ee4db754..0000000000
Binary files a/windows/whats-new/images/4_ViewSettings.jpg and /dev/null differ
diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png
deleted file mode 100644
index 9dd28db197..0000000000
Binary files a/windows/whats-new/images/Multi-app_kiosk_inFrame.png and /dev/null differ
diff --git a/windows/whats-new/images/Normal_inFrame.png b/windows/whats-new/images/Normal_inFrame.png
deleted file mode 100644
index 8d0559d0ee..0000000000
Binary files a/windows/whats-new/images/Normal_inFrame.png and /dev/null differ
diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png
deleted file mode 100644
index a7b20a039c..0000000000
Binary files a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png and /dev/null differ
diff --git a/windows/whats-new/images/beaming.png b/windows/whats-new/images/beaming.png
deleted file mode 100644
index 096c1d43f4..0000000000
Binary files a/windows/whats-new/images/beaming.png and /dev/null differ
diff --git a/windows/whats-new/images/kiosk-mode.PNG b/windows/whats-new/images/kiosk-mode.PNG
deleted file mode 100644
index 57c420a9c2..0000000000
Binary files a/windows/whats-new/images/kiosk-mode.PNG and /dev/null differ
diff --git a/windows/whats-new/images/system-guard.png b/windows/whats-new/images/system-guard.png
deleted file mode 100644
index 586f63d4da..0000000000
Binary files a/windows/whats-new/images/system-guard.png and /dev/null differ
diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png
deleted file mode 100644
index 5505ffa78c..0000000000
Binary files a/windows/whats-new/images/system-guard2.png and /dev/null differ
diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG
deleted file mode 100644
index 434eb55cb0..0000000000
Binary files a/windows/whats-new/images/wcd-cleanpc.PNG and /dev/null differ
diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png
deleted file mode 100644
index b3d998ba1b..0000000000
Binary files a/windows/whats-new/images/wcd-options.png and /dev/null differ
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png
deleted file mode 100644
index 3d018c0bda..0000000000
Binary files a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png and /dev/null differ
diff --git a/windows/whats-new/images/your-phone.png b/windows/whats-new/images/your-phone.png
deleted file mode 100644
index 708c6c004a..0000000000
Binary files a/windows/whats-new/images/your-phone.png and /dev/null differ
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index c34ac91e0d..4bb62bd59c 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -6,8 +6,8 @@ summary: Find out about new features and capabilities in the latest release of W
metadata:
title: What's new in Windows
description: Find out about new features and capabilities in the latest release of Windows client for IT professionals.
- ms.prod: windows-client
- ms.technology: itpro-fundamentals
+ ms.service: windows-client
+ ms.subservice: itpro-fundamentals
ms.topic: landing-page
ms.collection:
- highpri
diff --git a/windows/whats-new/ltsc/index.yml b/windows/whats-new/ltsc/index.yml
index aecd90e01a..64c7cef9df 100644
--- a/windows/whats-new/ltsc/index.yml
+++ b/windows/whats-new/ltsc/index.yml
@@ -6,8 +6,8 @@ summary: Find out about new features and capabilities in the latest release of W
metadata:
title: What's new in Windows 10 Enterprise LTSC
description: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
- ms.prod: windows-client
- ms.technology: itpro-fundamentals
+ ms.service: windows-client
+ ms.subservice: itpro-fundamentals
ms.topic: landing-page
ms.collection:
- highpri
diff --git a/windows/whats-new/ltsc/overview.md b/windows/whats-new/ltsc/overview.md
index 77fdc1e229..881b172f79 100644
--- a/windows/whats-new/ltsc/overview.md
+++ b/windows/whats-new/ltsc/overview.md
@@ -1,13 +1,13 @@
---
title: Windows 10 Enterprise LTSC overview
description: An overview of the Windows 10 long-term servicing channel (LTSC).
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: low
ms.topic: overview
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 66b1088247..5679770b95 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2015
manager: aaroncz
ms.author: mstewart
description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: low
ms.topic: conceptual
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2015
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 9a932a1ef1..fa69dc65cd 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2016
manager: aaroncz
ms.author: mstewart
description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: low
ms.topic: conceptual
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2016
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 2221b4ab44..b2e12eaf4c 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2019
manager: aaroncz
ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: medium
ms.topic: conceptual
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2019
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ab677b2b33..b7f6c2c73f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2021
manager: aaroncz
ms.author: mstewart
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.localizationpriority: high
ms.topic: conceptual
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2021
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index d837c8fa8c..e9d3a16d2c 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -1,14 +1,14 @@
---
title: Features and functionality removed in Windows client
description: In this article, learn about the features and functionality that have been removed or replaced in Windows client.
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: conceptual
-ms.technology: itpro-fundamentals
-ms.date: 01/05/2023
+ms.subservice: itpro-fundamentals
+ms.date: 01/30/2024
ms.collection:
- highpri
- tier1
@@ -39,31 +39,31 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Support removed |
| ----------- | --------------------- | ------ |
| Update Compliance | Update Compliance, a cloud-based service for the Windows client, is retired. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | March 31, 2023 |
-| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November, 2022 |
+| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November 2022 |
| Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 |
-| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 |
+| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Software publishers that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 |
|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, select **Settings** > **Apps** > **Optional features** > **Add a feature**, and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
-| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
-| PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs. | 1909 |
+| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for noncellular devices.| 2004 |
+| PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs. | 1909 |
| Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 |
| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you'll only be able to access messages from the device that received the message. | 1903 |
-|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 |
+|Business Scanning also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 |
|[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting lets you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it will be ignored.| 1809 |
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 |
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
-|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
+|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, download any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We're removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 |
-|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
+|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you can [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
|3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 |
|Apndatabase.xml | For more information about the replacement database, see the following Hardware Dev Center articles:
[MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
[COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | 1709 |
|Enhanced Mitigation Experience Toolkit (EMET) |Use of this feature will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/) as a replacement. | 1709 |
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index ba0ca795c1..d79c353526 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -1,8 +1,8 @@
---
title: Enterprise feature control in Windows 11
description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control.
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.author: mstewart
author: mestew
manager: aaroncz
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
deleted file mode 100644
index 02ecc6cade..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ /dev/null
@@ -1,355 +0,0 @@
----
-title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
-description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)?
-ms.prod: windows-client
-author: mestew
-manager: aaroncz
-ms.author: mstewart
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, versions 1507 and 1511 for IT Pros
-
-Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511.
-
->[!NOTE]
->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).
-
-
-## Deployment
-
-### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
-
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. An IT administrator using Windows Provisioning can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-
-[Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
-
-
-## Security
-
-### AppLocker
-
-#### New AppLocker features in Windows 10, version 1507
-
-- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
-- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
-
-[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
-
-### BitLocker
-
-#### New BitLocker features in Windows 10, version 1511
-
-- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
- It provides the following benefits:
- - The algorithm is FIPS-compliant.
- - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
-
-> [!NOTE]
-> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
-
-#### New BitLocker features in Windows 10, version 1507
-
-
-
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
-- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
-- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
-
-[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
-
-### Credential Guard
-
-#### New Credential Guard features in Windows 10, version 1511
-
-- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
- - Credentials that are saved by the Remote Desktop Protocol can't be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
- - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
- - You can't restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this backup before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
-- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This setting allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can do this configuration by using Group Policy.
-- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg can't delegate default credentials when Credential Guard is enabled.
-
-[Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard).
-
-### Easier certificate management
-
-
-For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates.
-
-### Microsoft Passport
-
-In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
-
-### Security auditing
-
-#### New Security auditing features in Windows 10, version 1511
-
-- The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices.
-
-#### New features in Windows 10, version 1507
-
-In Windows 10, security auditing has added some improvements:
-- [New audit subcategories](#bkmk-auditsubcat)
-- [More info added to existing audit events](#bkmk-moreinfo)
-
-##### New audit subcategories
-
-In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's sign-in token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
- When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
-- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
- Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
- A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
-
-##### More info added to existing audit events
-
-With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
-- [Changed the kernel default audit policy](#bkmk-kdal)
-- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
-- [Added new fields in the sign-in event](#bkmk-logon)
-- [Added new fields in the process creation event](#bkmk-logon)
-- [Added new Security Account Manager events](#bkmk-sam)
-- [Added new BCD events](#bkmk-bcd)
-- [Added new PNP events](#bkmk-pnp)
-
-##### Changed the kernel default audit policy
-
-In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts.
-
-##### Added a default process SACL to LSASS.exe
-
-In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
-This process can help identify attacks that steal credentials from the memory of a process.
-
-##### New fields in the sign-in event
-
-The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
-1. **MachineLogon** String: yes or no
- If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
-2. **ElevatedToken** String: yes or no
- If an account signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown.
-3. **TargetOutboundUserName** String
- **TargetOutboundUserDomain** String
- The username and domain of the identity that was created by the LogonUser method for outbound traffic.
-4. **VirtualAccount** String: yes or no
- If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
-5. **GroupMembership** String
- A list of all of the groups in the user's token.
-6. **RestrictedAdminMode** String: yes or no
- If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
- For more information about restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2).
-
-##### New fields in the process creation event
-
-The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
-1. **TargetUserSid** String
- The SID of the target principal.
-2. **TargetUserName** String
- The account name of the target user.
-3. **TargetDomainName** String
- The domain of the target user..
-4. **TargetLogonId** String
- The sign-in ID of the target user.
-5. **ParentProcessName** String
- The name of the creator process.
-6. **ParentProcessId** String
- A pointer to the actual parent process if it's different from the creator process.
-
-##### New Security Account Manager events
-
-In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
-- SamrEnumerateGroupsInDomain
-- SamrEnumerateUsersInDomain
-- SamrEnumerateAliasesInDomain
-- SamrGetAliasMembership
-- SamrLookupNamesInDomain
-- SamrLookupIdsInDomain
-- SamrQueryInformationUser
-- SamrQueryInformationGroup
-- SamrQueryInformationUserAlias
-- SamrGetMembersInGroup
-- SamrGetMembersInAlias
-- SamrGetUserDomainPasswordInformation
-
-##### New BCD events
-
-Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
-- DEP/NEX settings
-- Test signing
-- PCAT SB simulation
-- Debug
-- Boot debug
-- Integrity Services
-- Disable Winload debugging menu
-
-##### New PNP events
-
-Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
-
-[Learn how to manage your security audit policies within your organization](/windows/security/threat-protection/auditing/security-auditing-overview).
-
-### Trusted Platform Module
-
-#### New TPM features in Windows 10, version 1511
-
-- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
-
-#### New TPM features in Windows 10, version 1507
-
-The following sections describe the new and changed functionality in the TPM for Windows 10:
-- [Device health attestation](#bkmk-dha)
-- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
-- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
-- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
-
-### Device health attestation
-
-Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
-Some things that you can check on the device are:
-- Is Data Execution Prevention supported and enabled?
-- Is BitLocker Drive Encryption supported and enabled?
-- Is SecureBoot supported and enabled?
-
->[!NOTE]
->The device must be running Windows 10 and it must support at least TPM 2.0.
-
-[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
-
-### User Account Control
-
-User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
-
-You shouldn't turn off UAC because this setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
-
-For more information about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
-
-In Windows 10, User Account Control has added some improvements.
-
-#### New User Account Control features in Windows 10, version 1507
-
-- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
-
-[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
-
-### VPN profile options
-
-Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
-
-- Always-on auto connection behavior
-- App=triggered VPN
-- VPN traffic filters
-- Lock down VPN
-- Integration with Microsoft Passport for Work
-
-[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
-
-
-## Management
-
-Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
-
-### MDM support
-
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
-
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
-
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
-
-### Unenrollment
-
-
-When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
-
-When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
-
-### Infrastructure
-
-
-Enterprises have the following identity and management choices.
-
-| Area | Choices |
-|---|---|
-| Identity | Active Directory; Azure AD |
-| Grouping | Domain join; Workgroup; Azure AD join |
-| Device management | Group Policy; Microsoft Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
-
-> [!NOTE]
-> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
-
-
-### Device lockdown
-
-
-Do you need a computer that can only do one thing? For example:
-
-- A device in the lobby that customers can use to view your product catalog.
-
-- A portable device that drivers can use to check a route on a map.
-
-- A device that a temporary worker uses to enter data.
-
-You can configure a persistent locked down state to [create a kiosk-type device](/windows/configuration/kiosk-methods). When the locked-down account is logged on, the device displays only the app that you select.
-
-You can also [configure a lockdown state](/windows/configuration/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
-
-Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](/windows/configuration/windows-10-start-layout-options-and-policies).
-
-### Customized Start layout
-
-A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout).
-
-Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
-
-### Microsoft Store for Business
-**New in Windows 10, version 1511**
-
-With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or reuse licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-
-For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview).
-
-
-## Updates
-
-Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
-
-By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
-
-- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
-
-- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
-
-- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
-
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
-
-
-Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
-
-For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
-
-## Microsoft Edge
-Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
-
-- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
-- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
-- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
-- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
-
-### Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
-
-We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
-
-[Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility)
-
-
-## Learn more
-
-- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
deleted file mode 100644
index d0b7cbda02..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: What's new in Windows 10, version 1607 (Windows 10)
-description: What's new in Windows 10 for Windows 10 (version 1607)?
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: mestew
-manager: aaroncz
-ms.author: mstewart
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 1607 for IT Pros
-
-Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update).
-
->[!NOTE]
->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).
-
-## Deployment
-
-### Windows Imaging and Configuration Designer (ICD)
-
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
-
-Windows ICD now includes simplified workflows for creating provisioning packages:
-
-- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
-- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
-- [School provisioning to set up classroom devices for Active Directory](/education/windows/set-up-students-pcs-to-join-domain)
-
-[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
-
-### Windows Upgrade Readiness
-
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-
-With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues, with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
-
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-## Windows updates
-
-Windows 10, version 1607, provides administrators with increased control over updates by changing the update deferral increment from weeks to days. Other changes:
-
-- Quality Updates can be deferred up to 30 days and paused for 35 days
-- Feature Updates can be deferred up to 180 days and paused for 60 days
-- Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
-- Drivers can be excluded from updates
-
-## Security
-
-### Credential Guard and Device Guard
-
-Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
-
-### Windows Hello for Business
-
-When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Other changes for Windows Hello in Windows 10, version 1607:
-
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
-- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
-- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
-
-[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
-
-### VPN
-
-- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
-- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
-
-
-### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
-
-[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
-
-### Windows Defender
-Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
-
-- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
-
-### Microsoft Defender for Endpoint
-
-With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-
-[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-## Management
-
-### Use Remote Desktop Connection for PCs joined to Azure Active Directory
-
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
-
-
-### Taskbar configuration
-
-Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
-
-### Mobile device management and configuration service providers (CSPs)
-
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607).
-
-### Shared PC mode
-
-Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
-
-### Application Virtualization (App-V) for Windows 10
-
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-
-With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
-
-[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
-
-### User Experience Virtualization (UE-V) for Windows 10
-
-Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
-
-With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
-
-With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
-
-[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
-
-## Learn more
-
-- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
deleted file mode 100644
index b62a1a7579..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ /dev/null
@@ -1,313 +0,0 @@
----
-title: What's new in Windows 10, version 1703
-description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: mestew
-manager: aaroncz
-ms.author: mstewart
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 1703 for IT Pros
-
-Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
-
->[!NOTE]
->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md).
-
-## Configuration
-
-### Windows Configuration Designer
-
-Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
-
-Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
-
-
-
-Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp).
-
-
-
-[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
-
-
-### Azure Active Directory join in bulk
-
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-
-### Windows Spotlight
-
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
-
-- **Turn off the Windows Spotlight on Action Center**
-- **Do not use diagnostic data for tailored experiences**
-- **Turn off the Windows Welcome Experience**
-
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
-
-
-### Start and taskbar layout
-
-Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
-
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-
-[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
-
-- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
-- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
-- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
-
-### Cortana at work
-
-Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, optimized for your business. When your employees sign in with an Azure Active Directory (Azure AD) account, they can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
-
-Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
-
-For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
-
-
-## Deployment
-
-### MBR2GPT.EXE
-
-MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
-
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
-
-Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-
-## Security
-
-### Microsoft Defender for Endpoint
-
-New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include:
-- **Detection**: Enhancements to the detection capabilities include:
- - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- - Upgraded detections of ransomware and other advanced attacks
- - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
-
-- **Investigation**: Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to help you gain a holistic view on investigations.
-
- Other investigation enhancements include:
- - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
-
-- **Response**: When an attack is detected, security response teams can now take immediate action to contain a breach:
- - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-
-
-- **Other features**
- - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-
-You can read more about ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-
-Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](/windows/deployment/deploy-whats-new).
-
-### Microsoft Defender Antivirus
-Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
-
-The new library includes information on:
-- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
-- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
-- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
-- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
-- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
-
-Some of the highlights of the new library include:
-- [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus)
-- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)
-
-New features for Microsoft Defender AV in Windows 10, version 1703 include:
-
-- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
-- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
-
-
-In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
-
-You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
-
-### Device Guard and Credential Guard
-
-More security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
-
-### Group Policy Security Options
-
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-
-A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign-in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
-
-### Windows Hello for Business
-
-You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
-For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
-
-For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-
-### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
-
-## Update
-
-### Windows Update for Business
-
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy hasn't been configured. We've also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-
-
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-
-
-### Windows Insider for Business
-
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization, especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register).
-
-### Optimize update delivery
-
-With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-
->[!NOTE]
-> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-
-Delivery Optimization policies now enable you to configure more restrictions to have more control in various scenarios.
-
-Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
-
-### Uninstalled in-box apps no longer automatically reinstall
-
-Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-
-Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This condition won't apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
-
-## Management
-
-### New MDM capabilities
-
-Windows 10, version 1703 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
-
-Some of the other new CSPs are:
-
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
-
-- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-
-- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
-
-- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
-
-- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
-
-- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-
-
-[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
-
-### Mobile application management support for Windows 10
-
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
-
-For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
-
-### MDM diagnostics
-
-In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an extra tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
-
-### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
-
-For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
-
-### Windows diagnostic data
-
-Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
-
-### Group Policy spreadsheet
-
-Learn about the new Group Policies that were added in Windows 10, version 1703.
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-
-## Miracast on existing wireless network or LAN
-
-In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
-
-Miracast over Infrastructure offers many benefits:
-
-- Windows automatically detects when sending the video stream over this path is applicable.
-- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
-- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct.
-- It uses an existing connection that reduces the time to connect and provides a stable stream.
-
-### How it works
-
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, and via multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-
-### Enabling Miracast over Infrastructure
-
-If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following requirements are true within your deployment:
-
-- The device (PC or Surface Hub) needs to be running Windows 10, version 1703.
-- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*.
- - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (for example, using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this resolution by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-It's important to note that Miracast over Infrastructure isn't a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
-
-## New features in related products
-The following new features aren't part of Windows 10, but help you make the most of it.
-
-### Upgrade Readiness
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following topics:
-
-- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-
-### Update Compliance
-
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
-
-Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
deleted file mode 100644
index 4f608c1dd6..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: What's new in Windows 10, version 1709
-description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
-ms.prod: windows-client
-author: mestew
-manager: aaroncz
-ms.author: mstewart
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 1709 for IT Pros
-
-**Applies to**
-- Windows 10, version 1709
-
-Below is a list of some of the new and updated content that discusses IT Pro features in Windows 10, version 1709, also known as the Fall Creators Update. Windows 10, version 1709 also contains all features and fixes included in previous cumulative updates to Windows 10, version 1703.
-
-A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information. The following 3-minute video summarizes these features.
-
-
-
-> [!video https://www.microsoft.com/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
-
-
-## Deployment
-
-### Windows Autopilot
-
-Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot).
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-### Windows 10 Subscription Activation
-
-Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
-
-### Autopilot Reset
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom sign-in screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
-
-
-## Update
-
-### Windows Update for Business
-
-Windows Update for Business now has more controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
-
-### Windows Insider Program for Business
-
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
-
-## Administration
-
-### Mobile Device Management (MDM)
-
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
-
-
-## Application Management
-
-### Mixed Reality Apps
-
-This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
-
-
-## Configuration
-
-### Kiosk Configuration
-
-The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
-
-
-## Security
-
->[!NOTE]
->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall.
-
-**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-
-### Microsoft Defender for Endpoint
-
-Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices).
-
-### Windows Defender Application Guard
-
-Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview).
-
-### Windows Defender Exploit Guard
-
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
-
-
-### Windows Defender Device Guard
-
-Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
-
-### Windows Information Protection
-
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
-
-### Windows Hello
-
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification).
-
-### BitLocker
-
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
-
-### Windows security baselines
-
-Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-
-### SMBLoris vulnerability
-An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
-
-
-## Windows Analytics
-
-### Upgrade Readiness
-
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-### Update Compliance
-
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-
-### Device Health
-
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
-
-
-## Networking
-
-### Network stack
-
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
-
-
-## See Also
-
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.
-[Threat protection on Windows 10](/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
deleted file mode 100644
index 9c77663750..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ /dev/null
@@ -1,233 +0,0 @@
----
-title: What's new in Windows 10, version 1803
-description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
-ms.prod: windows-client
-author: mestew
-manager: aaroncz
-ms.author: mstewart
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 1803 for IT Pros
-
-**Applies to**
-- Windows 10, version 1803
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.
-
->If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](/windows-hardware/get-started/what-s-new-in-windows), for [developers](/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update).
-
-The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
-
-> [!video https://www.microsoft.com/videoplayer/embed/RE21ada?autoplay=false]
-
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
-
-With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
-
-Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.
-
-### Windows 10 in S mode
-
-Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer.
-
-Some additional information about Windows 10 in S mode:
-
-- Microsoft-verified. All of your applications are verified by Microsoft for security and performance.
-- Performance that lasts. Start-ups are quick, and S mode is built to keep them that way.
-- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps.
-- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.
-
-If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back.
-
-For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
-
-### Windows 10 kiosk and Kiosk Browser
-
-With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
-
-- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
-- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
-- Support for multiple screens for digital signage use cases.
-- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page.
-- The ability to configure and run Shell Launcher in addition to existing UWP Store apps.
-- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases.
-- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups.
-- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
-
-For more information, see:
-- [Making IT simpler with a modern workplace](https://www.microsoft.com/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
-- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
-
-### Windows 10 Subscription Activation
-
-With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
-
-For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation).
-
-### DISM
-
-The following new DISM commands have been added to manage feature updates:
-
-| Command | Description |
-|---|---|
-| `DISM /Online /Initiate-OSUninstall` | Initiates an OS uninstall to take the computer back to the previous installation of windows. |
-| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. |
-| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. |
-| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. |
-
-
-For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
-
-### Windows Setup
-
-You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-
-Prerequisites:
-- Windows 10, version 1803 or later.
-- Windows 10 Enterprise or Pro
-
-For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-
-It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:
-
-`/PostRollback
-Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
-- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
- With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This query creation can be done by using the power of Advanced hunting through the creation of custom detection rules.
-
-- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
-Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration.
-The integration will allow MSSPs to take the following actions:
-Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-
-- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
-Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
-
-- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
-Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
-
-- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
-Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-
-- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
-Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor
-
-## Cloud Clipboard
-
-Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard:
-
-1. Go to **Windows Settings** and select **Systems**.
-
-2. On the left menu, click on **Clipboard**.
-
-3. Turn on **Clipboard history**.
-
-4. Turn on **Sync across devices**. Choose whether or not to automatically sync copied text across your devices.
-
-## Kiosk setup experience
-
-We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
-
-To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page.
-
-
-
-Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
-
-1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
-
-2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users can't minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
-
-
-
-Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types.
-
->[!NOTE]
->The following Microsoft Edge kiosk mode types cannot be set up using the new simplified assigned access configuration wizard in Windows 10 Settings.
-
-**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
-
-
-
-**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store isn't set up, users can't get books.
-
-
-
-Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
-
-## Registry editor improvements
-
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
-
-
-## Faster sign-in to a Windows 10 shared pc
-
-Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash!
-
-**To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809.
-
-2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in.
-
-3. Sign-in to a shared PC with your account. You'll notice the difference!
-
- 
-
->[!NOTE]
->This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time.
-
-## Web sign-in to Windows 10
-
->[!IMPORTANT]
->This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time.
-
-Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows sign-in support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.
-
-**To try out web sign-in:**
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
-
-3. On the lock screen, select web sign-in under sign-in options.
-
-4. Click the **Sign in** button to continue.
-
- > [!div class="mx-imgBorder"]
- > 
-
->[!NOTE]
->This is a private preview feature and therefore not meant or recommended for production purposes.
-
-## Your Phone app
-
-Android phone users, you can finally stop emailing yourself photos. With Your Phone, you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
-
-For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing-read, watch, or browse-with all the benefits of a bigger screen.
-
-:::image type="content" source="images/your-phone.png" alt-text="Your phone.":::
-
-The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**.
-
-## Wireless projection experience
-
-One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes:
-
-* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible
-* Video mode increases the screen-to-screen latency to ensure the video on the large screen plays back smoothly
-* Productivity modes strike a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
-
-
-
-## Remote Desktop with Biometrics
-
-Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
-Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.
-
-Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session.
-
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN.
-
-See the following example:
-
-
-
-
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
deleted file mode 100644
index c593f3baae..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: What's new in Windows 10, version 1903
-description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
-ms.prod: windows-client
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 11/17/2023
----
-
-# What's new in Windows 10, version 1903 for IT Pros
-
-**Applies to**
-- Windows 10, version 1903.
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
-
->[!NOTE]
->
->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
-
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-
-- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
-- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-
-### SetupDiag
-
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available.
-
-### Reserved storage
-
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10.
-
-## Servicing
-
-- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
-- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again.
-- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-
-## Security
-
-### Windows Information Protection
-
-With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
-
-### Security configuration framework
-
-With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md), called the **SECCON framework**, comprised of 5 device security configurations.
-
-### Security baseline for Windows 10 and Windows Server
-
-The draft release of the [security configuration baseline settings](/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903) for Windows 10, version 1903 and for Windows Server version 1903 is available.
-
-### Intune security baselines
-
-[Intune Security Baselines](/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
-
-### Microsoft Defender for Endpoint
-
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
- - Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-
-### Microsoft Defender for Endpoint next-gen protection technologies
-
-- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
-
-### Threat Protection
-
-- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
-- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
-
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
-
- To try this extension:
- 1. Configure WDAG policies on your device.
- 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
- 3. Follow any of the other configuration steps on the extension setup page.
- 4. Reboot the device.
- 5. Navigate to an untrusted site in Chrome and Firefox.
-
- - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
-
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
- 1. Enforce and audit side-by-side.
- 1. Simpler targeting for policies with different scope/intent.
- 1. expanding a policy using a new supplemental policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule.
- - This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
-
-#### System Guard
-
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM.
-
-This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly:
-
-
-
-### Identity Protection
-
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID.
-- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience.
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-
-### Security management
-
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
-- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
-
-## Microsoft Edge
-
-Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
-
-## See Also
-
-- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
-- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
-- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware.
-- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
deleted file mode 100644
index 5ab89168fd..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: What's new in Windows 10, version 1909
-description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
-ms.prod: windows-client
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 1909 for IT Pros
-
-**Applies to**
-- Windows 10, version 1909
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903.
-
-## Servicing
-
-Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.
-
-To deliver these updates in an optimal fashion, we're providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you're running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.
-
-If you're updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97).
-
-**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, see the [Windows lifecycle fact sheet](/lifecycle/faq/windows).
-
-### Windows Server Update Services (WSUS)
-
-Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
-
-The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
-
-### Windows Update for Business
-
-If you're using Windows Update for Business, you'll receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
-
-## Security
-
-### Credential Guard
-
-[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
-
-### Microsoft BitLocker
-
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
-
-### Key-rolling and Key-rotation
-
-Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
-
-### Transport Layer Security (TLS)
-
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
-
->[!NOTE]
->The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
-
-## Virtualization
-
-### Windows Sandbox
-
-[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation.
-
-## Windows Virtual Desktop
-
-[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
-
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
-
-## Deployment
-
-### Microsoft Intune family of products
-
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
-
-### Windows 10 Pro and Enterprise in S mode
-
- You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s).
-
-### SetupDiag
-
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
-
-### Windows Assessment and Deployment Toolkit (ADK)
-
-A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.
-
-## Desktop Analytics
-
-[Desktop Analytics](/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
-
-## Microsoft Connected Cache
-
-Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need.
-
-## Accessibility
-
-This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked).
-
-## Processor requirements and enhancements
-
-### Requirements
-
-[Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows.
-
-### Favored CPU Core Optimization
-
-This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.
-
-When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die.
-
-With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance".
-
-### Debugging
-
-More debugging capabilities for newer Intel processors have been added in this release. These newly added capabilities are only relevant for hardware manufacturers.
-
-### Efficiency
-
-General battery life and power efficiency improvements for PCs with certain processors have been added in this release.
-
-## See Also
-
-[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
-[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[Features and functionality removed in Windows 10](removed-features.md): Removed features.
-[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
-[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
-[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
-[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
deleted file mode 100644
index 22d328d14f..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ /dev/null
@@ -1,267 +0,0 @@
----
-title: What's new in Windows 10, version 2004
-description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
-ms.prod: windows-client
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.localizationpriority: medium
-ms.topic: article
-ROBOTS: NOINDEX
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
----
-
-# What's new in Windows 10, version 2004 for IT Pros
-
-**Applies to**
-- Windows 10, version 2004
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
-
-To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update).
-
-> [!NOTE]
-> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003.
-
-## Security
-
-### Windows Hello
-
-- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
-
-- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
-
-- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
-
-### Windows Defender System Guard
-
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
-
-With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
-
- 
-
-### Windows Defender Application Guard
-
-[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
-
-Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon.
-
-## Deployment
-
-### Windows Setup
-
-Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
-
-Improvements in Windows Setup with this release also include:
-- Reduced offline time during feature updates
-- Improved controls for reserved storage
-- Improved controls and diagnostics
-- New recovery options
-
-For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
-
-### SetupDiag
-
-In Windows 10, version 2004, SetupDiag is now automatically installed.
-
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
-
-### Windows Autopilot
-
-With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
-
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles.
-
-### Microsoft Configuration Manager
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
-
-### Windows Assessment and Deployment Toolkit (ADK)
-
-Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
-
-For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
-
-### Microsoft Deployment Toolkit (MDT)
-
-MDT version 8456 supports Windows 10, version 2004, but there's currently an issue that causes MDT to incorrectly detect that UEFI is present. There's an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue.
-
-For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
-
-## Servicing
-
-### Delivery Optimization
-
-Windows PowerShell cmdlets have been improved:
-
-- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
-- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
-- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
-
-Other improvements:
-- Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
-- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-
-The following [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
-
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background.
-- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: Separated to foreground and background.
-
-### Windows Update for Business
-
-[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
-
-- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-
-- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue using deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
-
-## Networking
-
-### Wi-Fi 6 and WPA3
-
-Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
-
-### TEAP
-
-In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
-
-## Virtualization
-
-### Windows Sandbox
-
-[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration.
-
-[Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
-- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
-- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
-- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This setting is disabled by default due to issues with copy & paste.
-- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox.
-- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox.
-- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox.
-
-Windows Media Player is also added back to the Sandbox image in this release.
-
-Windows Sandbox also has improved accessibility in this release, including:
-- Microphone support is available.
-- Added functionality to configure the audio input device via the Windows Sandbox config file.
-- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode.
-- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode.
-
-### Windows Subsystem for Linux (WSL)
-
-With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but wouldn't shrink when no longer needed.
-
-[WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
-
-For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/release-notes).
-
-### Windows Virtual Desktop (WVD)
-
-Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, and the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
-
-## Microsoft Edge
-
-Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new).
-
-Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/).
-
-## Application settings
-
-This release enables explicit [Control over restarting apps at sign-in (Build 18965)](/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
-
-## Windows Shell
-
-Several enhancements to the Windows 10 user interface are implemented in this release:
-
-### Cortana
-
-[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
-
-- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
-
- - In the coming months, with regular app updates through the Microsoft Store, we'll enhance this experience to support wake word invocation and enable listening when you say "Cortana", offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
-
-- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365's enterprise-level privacy, security, and compliance promises](/microsoft-365/admin/misc/cortana-integration) as set out in the Online Services Terms.
-
-- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
-
-For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
-
-### Windows Search
-
-Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm).
-
-### Virtual Desktops
-
-There's a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
-
-### Bluetooth pairing
-
-Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
-
-### Reset this PC
-
-The 'reset this PC' recovery function now includes a [cloud download](/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
-
-### Task Manager
-
-The following items are added to Task Manager in this release:
-- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
-- Disk type is now [listed for each disk on the Performance tab](/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
-
-## Graphics & display
-
-### DirectX
-
-[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release.
-
-### 2-in-1 PCs
-
-See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
-
-### Specialized displays
-
-With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose.
-
-Examples include:
-- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators
-- Medical imaging devices with custom panels, such as grayscale X-ray displays
-- Video walls like those displayed in Microsoft Store
-- Dedicated video monitoring
-- Monitor panel testing and validation
-- Independent Hardware Vendor (IHV) driver testing and validation
-
-To prevent Windows from using a display, choose Settings > Display and select Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
-
-## Desktop Analytics
-
-[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
-
-For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
-
-## See Also
-
-- [What's new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
-- [What's new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
-- [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
-- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
-- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
-- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
-- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
-- [Features and functionality removed in Windows 10](removed-features.md): Removed features.
-- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
deleted file mode 100644
index a433405b4e..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: What's new in Windows 10, version 20H2
-description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
-ms.prod: windows-client
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.localizationpriority: high
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
-appliesto:
- - ✅ Windows 10, version 20H2
----
-
-# What's new in Windows 10, version 20H2 for IT Pros
-
-This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
-
-> [!NOTE]
-> With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2).
-
-As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
-
-To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
-
-## Microsoft Edge
-
-This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](/microsoft-edge/).
-
-## Servicing
-
-### Windows Update
-
-There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see [Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547).
-
-Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039).
-
-## Deployment
-
-New guidance is available to help prepare a [servicing strategy](/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.
-
-Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**:
-
-**Plan** your deployment by evaluating and understanding essential activities:
-- Create a [phased deployment plan](/windows/deployment/update/create-deployment-plan)
-- Assign [roles and responsibilities](/windows/deployment/update/plan-define-readiness#process-manager) within your organization
-- Set [criteria](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process
-- Evaluate your [infrastructure and tools](/windows/deployment/update/eval-infra-tools)
-- Determine [readiness](/windows/deployment/update/plan-determine-app-readiness) for your business applications
-- Create an effective, schedule-based [servicing strategy](/windows/deployment/update/plan-define-strategy)
-
-**Prepare** your devices and environment for deployment by performing necessary actions:
-- Update [infrastructure and tools](/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment)
-- Ensure the needed [services](/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available
-- Resolve issues with [unhealthy devices](/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices)
-- Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates
-
-**Deploy** and manage Windows 10 strategically in your organization:
-- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the setup, configuration, and delivery of new devices
-- Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
-- Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices
-- [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
-- Manage bandwidth for updates with [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization)
-- [Monitor Windows Updates](/windows/deployment/update/update-compliance-monitor) with Update Compliance
-
-### Windows Autopilot
-
-Enhancements to Windows Autopilot since the last release of Windows 10 include:
-- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
-- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
-
-### Windows Assessment and Deployment Toolkit (ADK)
-
-There's no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
-
-## Device management
-
-Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
-
-For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
-
-## Security
-
-### Microsoft Defender for Endpoint
-
-This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
-
-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
-
-### Microsoft Defender Application Guard for Office
-
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
-
-### Windows Hello
-
-With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
-
-## Virtualization
-
-### Windows Sandbox
-
-New policies for [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](/windows/client-management/mdm/policy-csp-windowssandbox).
-
-### Windows Virtual Desktop (WVD)
-
-> **Note**: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows.
-
-New capabilities in WVD were announced at Ignite 2020. For more information, see [Announcing new management, security, and monitoring capabilities in Windows Virtual Desktop](https://aka.ms/wvd-ignite2020-blogpost).
-
-In addition, [Windows Virtual Desktop is now generally available in the Azure Government cloud](https://azure.microsoft.com/updates/windows-virtual-desktop-is-now-generally-available-in-the-azure-government-cloud/).
-
-## Windows Shell
-
-Some enhancements to the Windows 10 user interface are implemented in this release:
-
-- With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware.
-- Icons on the Start menu no longer have a square outline around each icon.
-- Notifications are slightly updated in appearance.
-- You can now change the monitor refresh rate on advanced display settings.
-- Alt+Tab now shows Edge browser tabs by default. You can edit this setting under **Settings** > **System** > **Multitasking**: **Alt+Tab**.
-- The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page.
-
-### 2-in-1 PCs
-
-On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen.
-
-## Surface
-
-Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](/surface-hub/surface-hub-2s-whats-new).
-
-## Desktop Analytics
-
-[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
-
-For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
-
-## See Also
-
-[What’s new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)
-[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)
-[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)
-[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
-[Features and functionality removed in Windows 10](removed-features.md): Removed features.
-[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
deleted file mode 100644
index 4f1f8db731..0000000000
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: What's new in Windows 10, version 21H1
-description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update).
-ms.prod: windows-client
-author: mestew
-ms.author: mstewart
-manager: aaroncz
-ms.localizationpriority: high
-ms.topic: conceptual
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
-appliesto:
- - ✅ Windows 10, version 21H1
----
-
-# What's new in Windows 10, version 21H1 for IT Pros
-
-This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2.
-
-Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
-
-
-For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736).
-
-## Servicing
-
-### Windows Update
-
-Starting with Windows 10, version 20H2 and including this release, Latest Cumulative Updates (LCUs) and Servicing Stack Updates (SSUs) have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039).
-
-Also see [What's next for Windows 10 updates](https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/).
-
-## Deployment
-
-### Windows Autopilot
-
-A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
-
-A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
-
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
-
-For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
-
-### Windows Assessment and Deployment Toolkit (ADK)
-
-There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
-
-## Device management
-
-Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
-- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
-
-## Security
-
-### Windows Defender Application Guard (WDAG)
-
-WDAG performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
-- The performance of Robocopy is improved when copying files over 400 MB in size.
-
-### Windows Hello
-
-Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
-
-## Microsoft Edge
-
-The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser is included with this release. For more information about what's new in Edge, see the [Microsoft Edge insider](https://www.microsoftedgeinsider.com/whats-new).
-
-## General fixes
-
-For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/).
-
-This release includes the following enhancements and issues fixed:
-
-- a memory leak in Internet Explorer 11 that occurs when you use the Chinese language pack.
-- COM+ callout policies that cause a deadlock in certain applications.
-- an issue that prevents certain Win32 apps from opening as a different user when you use the runas
-- unexpected screens during the Windows Out of Box Experience (OOBE).
-- an issue that might cause a deadlock when a COM server delivers an event to multiple subscribers in parallel.
-- an issue in Advanced display settings that shows the incorrect refresh rates available for high dynamic range (HDR) displays.
-- an issue that might prevent certain CAD applications from opening if those applications rely on OpenGL.
-- an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors.
-- an issue that sometimes prevents the input of strings into the Input Method Editor (IME).
-- an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions.
-- a stop error that occurs at the start.
-- an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page.
-- an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana.
-- removed the history of previously used pictures from a user account profile.
-- wrong language displayed on a console after you change the system locale.
-- host process of Windows Remote Management (WinRM) can stop working when it formats messages from a PowerShell plugin.
-- Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions.
-- screen rendering after opening games with certain hardware configurations.
-- startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on.
-- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
-- high memory and CPU utilization in Microsoft Defender for Endpoint.
-- We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints.
-- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627.
-- an issue that prevents wevtutil from parsing an XML file.
-- failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
-- We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode.
-- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid.
-- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically.
-- We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns.
-- We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues.
-- We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver.
-- We enabled Windows to retrieve updated printer capabilities to ensure that users have the proper set of selectable print options.
-- We updated support for hole punch and stapling locations for print jobs with long edge first paper feed direction on certain printers.
-- an issue that might cause the IKEEXT service to stop working intermittently.
-- an issue that might prevent a Non-Volatile Memory Express (NVMe) device from entering the proper power state.
-- an issue that might cause stop error 7E in sys on servers running the Network File System (NFS) service.
-- an issue that prevents the User Profile Service from detecting a slow or a fast link reliably.
-- an issue that causes contention for a metadata lock when using Work Folders.
-- We added a new dfslogkey:
- Keypath: **HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/dfslog**
- The **RootShareAcquireSuccessEvent** field has the following possible values:
- * Default value = 1; enables the log.
- * Value other than 1; disables the log.
-
- If this key doesn't exist, it will be created automatically.
- To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service.
-- We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client.
-- We turned off token binding by default in Windows Internet (WinINet).
-- an issue that might prevent the correct Furigana characters from appearing in apps that automatically allow the input of Furigana characters. You might need to enter the Furigana characters manually. This issue occurs when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in these apps.
-
-## See Also
-
-[IT tools to support Windows 10, version 21H1](https://aka.ms/tools-for-21H1)
-[Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.
-[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
-[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
-[Features and functionality removed in Windows 10](removed-features.md): Removed features.
-[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 56b194f450..f23820ffe8 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -2,7 +2,7 @@
title: What's new in Windows 10, version 21H2 for IT pros
description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: aaroncz
-ms.prod: windows-client
+ms.service: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ Windows 10, version 21H2
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index 5c158152d8..3ec8fdc763 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -1,8 +1,8 @@
---
title: What's new in Windows 10, version 22H2 for IT pros
description: Learn more about what's new in Windows 10, version 22H2, including how to get it.
-ms.prod: windows-client
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
ms.author: mstewart
author: mestew
manager: aaroncz
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index b09c1ab588..d2308ff620 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -2,7 +2,7 @@
title: What's new in Windows 11, version 22H2 for IT pros
description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: aaroncz
-ms.prod: windows-client
+ms.service: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 08/11/2023
appliesto:
- ✅ Windows 11, version 22H2
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
index 7a178b1852..421552f353 100644
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -2,7 +2,7 @@
title: What's new in Windows 11, version 23H2 for IT pros
description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: aaroncz
-ms.prod: windows-client
+ms.service: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 10/31/2023
appliesto:
- ✅ Windows 11, version 23H2
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 2bab9205d6..bceae6230c 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -1,28 +1,29 @@
---
title: Windows 11 overview for administrators
-description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
+description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, apps, the new desktop, and deploying and servicing PCs.
manager: aaroncz
author: mestew
ms.author: mstewart
-ms.prod: windows-client
-ms.date: 09/20/2022
-ms.technology: itpro-fundamentals
+ms.service: windows-client
+ms.date: 01/31/2024
+ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: overview
ms.collection:
- highpri
- tier1
+ - essentials-overview
appliesto:
- ✅ Windows 11
---
# Windows 11 overview
-Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
+Windows 11 is a client operating system and includes features that organizations should know about. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
-It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
+Windows 11 offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
-Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
+Your investments in updates and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows).
@@ -46,13 +47,13 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
- [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection)
-- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
+- The application security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more.
For more information, see [Windows application security](/windows/security/apps).
- **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices.
- As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Intune work together to remove passwords, create more secure policies, and help enforce compliance.
+ As an admin, going passwordless help secures user identities. The Windows OS, Microsoft Entra ID, and Intune work together to remove passwords, create more secure policies, and help enforce compliance.
For more information, see:
@@ -68,27 +69,20 @@ For more information on the security features you can configure, manage, and enf
For more information, see [What is Windows 365 Enterprise?](/windows-365/overview).
-- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call:
-
- :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call.":::
-
- This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Intune. For more information, see:
+- **Microsoft 365 Apps** can be installed on Windows 11 clients using the device management tools you're already familiar with:
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365)
- - [Install Microsoft Teams using Microsoft Configuration Manager](/microsoftteams/msi-deployment)
+ - [What is Microsoft Configuration Manager?](/mem/configmgr/core/understand/introduction)
+ - [Deploy Microsoft 365 Apps with Microsoft Configuration Manager](/deployoffice/deploy-microsoft-365-apps-configuration-manager)
- Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11).
-
-- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
+- **Power Automate for desktop** allows your users to create flows in a low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more.
For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11).
- Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**.
-
## Customize the desktop experience
-- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app:
+- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize or maximize option. When you do, you can select a different layout for the app:
:::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts.":::
@@ -98,7 +92,7 @@ For more information on the security features you can configure, manage, and enf
Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
- You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
+ You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch.
@@ -125,7 +119,9 @@ For more information on the security features you can configure, manage, and enf
:::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets.":::
- You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11).
+ You can enable or disable this feature using the following policy:
+ - **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\widgets
+ - **MDM**: ./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests)
For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4).
@@ -150,7 +146,7 @@ For more information on the security features you can configure, manage, and enf
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
-- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
+- Your Windows 10 apps also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
@@ -164,7 +160,7 @@ For more information on the security features you can configure, manage, and enf
- **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/).
- This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application:
+ This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. When you open a new tab, you can choose your command-line application:
:::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands.":::
@@ -177,7 +173,7 @@ For more information on the security features you can configure, manage, and enf
- [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f)
- [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6)
-- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
+- The **Microsoft Edge** browser is included with the OS. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL.
To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`.
@@ -185,13 +181,13 @@ For more information on the security features you can configure, manage, and enf
## Deployment and servicing
-- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10.
+- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Configuration Manager, and other methods. Windows 11 is delivered as an upgrade to eligible devices running Windows 10.
For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md).
For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e).
-- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
+- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and preconfigure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins.
If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot).
@@ -201,7 +197,7 @@ For more information on the security features you can configure, manage, and enf
- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
- Like Windows 10, Windows 11 will receive monthly quality updates.
+ Like Windows 10, Windows 11 receives monthly quality updates.
You have options to install updates on your Windows devices, including Intune, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
@@ -216,7 +212,7 @@ For more information on the security features you can configure, manage, and enf
## Education and apps
-Windows 11 SE is a new edition of Windows that's designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview).
+Windows 11 SE is a new edition of Windows designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview).
## Next steps
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index fa33976e89..39330b182a 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -1,7 +1,7 @@
---
title: Plan for Windows 11
description: Windows 11 deployment planning, IT Pro content.
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier1
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 08/11/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index fb11714e70..e5852e8ce3 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -1,7 +1,7 @@
---
title: Prepare for Windows 11
description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content.
-ms.prod: windows-client
+ms.service: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
@@ -10,7 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier1
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ Windows 11
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index f596c4e962..ececec3d96 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -4,13 +4,13 @@ description: Hardware requirements to deploy Windows 11.
manager: aaroncz
author: mestew
ms.author: mstewart
-ms.prod: windows-client
+ms.service: windows-client
ms.localizationpriority: medium
ms.topic: conceptual
ms.collection:
- highpri
- tier1
-ms.technology: itpro-fundamentals
+ms.subservice: itpro-fundamentals
ms.date: 02/13/2023
appliesto:
- ✅ Windows 11