Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20240124-kiosk

2025-05-27 20:57:23 +00:00 · 2024-02-13 11:17:03 +01:00 · 2024-02-13 11:17:03 +01:00 · 352bf05c6c
commit 352bf05c6c
parent 003956186e 867a338439
7 changed files with 32 additions and 35 deletions
--- a/education/docfx.json
+++ b/education/docfx.json
@ -29,7 +29,6 @@
    "globalMetadata": {
      "recommendations": true,
      "adobe-target": true,
-      "ms.topic": "article",
      "ms.collection": [
        "education",
        "tier2"
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@ -42,7 +42,6 @@
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.service": "windows-client",
      "ms.subservice": "itpro-apps",
-      "ms.topic": "article",
      "feedback_system": "Standard",
            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
@ -53,10 +52,10 @@
      },
      "titleSuffix": "Windows Application Management",
      "contributors_to_exclude": [
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
+        "rjagiewich",
+        "traya1",
+        "rmca14",
+        "claydetels19",
        "jborsecnik",
        "tiburd",
        "garycentric",
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@ -44,7 +44,6 @@
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.service": "windows-client",
      "ms.subservice": "itpro-fundamentals",
-      "ms.topic": "article",
      "feedback_system": "Standard",
            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
@ -55,10 +54,10 @@
      },
      "titleSuffix": "Windows for IT Pros",
      "contributors_to_exclude": [
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
+        "rjagiewich",
+        "traya1",
+        "rmca14",
+        "claydetels19",
        "jborsecnik",
        "tiburd",
        "garycentric",
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@ -39,7 +39,6 @@
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.service": "windows-client",
      "ms.subservice": "itpro-privacy",
-      "ms.topic": "article",
      "feedback_system": "Standard",
            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
@ -50,10 +49,10 @@
      },
      "titleSuffix": "Windows Privacy",
      "contributors_to_exclude": [
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
+        "rjagiewich",
+        "traya1",
+        "rmca14",
+        "claydetels19",
        "jborsecnik",
        "tiburd",
        "garycentric",
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@ -13,23 +13,25 @@ This article describes the options to configure Windows Hello for Business in an

 You can configure Windows Hello for Business by using the following options:

- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unamanged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2]
+- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unmanaged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2]
 - Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution

 ## Policy precedence

 Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business:

- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used
+- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy isn't set, the computer policy is used
 - Windows Hello for Business policy settings are enforced using the following hierarchy:
-  - User GPO
-  - Computer GPO
-  - User MDM
-  - Device MDM
-  - Device Lock policy
+  - User - GPO
+  - Computer - GPO
+  - User - PassportForWork CSP
+  - Device - PassportForWork CSP
+  - Exchange Active Sync - [DeviceLock CSP](/windows/client-management/mdm/policy-csp-devicelock)

 >[!IMPORTANT]
->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+>If you configure password length and complexity settings defined by the DeviceLock CSP, and PIN length and complexity settings defined by the PassportForWork CSP, Windows enforces the strictest policy out of the set of governing policies.
+>
+>The DeviceLock CSP utilizes the Exchange ActiveSync Policy (EAS) engine. For more information, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn282287(v=ws.11)).

 >[!NOTE]
 > If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
@ -63,9 +65,9 @@ For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enr
 There are different ways to enable and configure Windows Hello for Business in Intune:

 - Using a policy applied at the tenant level. The tenant policy:
-  - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune
+  - Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune
  - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group
- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
+- A device configuration policy that is applied *after* device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
  - [Settings catalog][MEM-1]
  - [Security baselines][MEM-2]
  - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4]
@ -76,16 +78,16 @@ There are different ways to enable and configure Windows Hello for Business in I

 To check the Windows Hello for Business policy settings applied at enrollment time:

-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
-1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
+1. Verify the status of **Configure Windows Hello for Business** and any settings that might be configured

 :::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png":::

 ## Policy conflicts from multiple policy sources

-Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
+Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business. If you mix GPO and CSP policy settings, the CSP settings are ignored until all group policy settings are cleared.

 > [!IMPORTANT]
 > The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat

 ### Vulnerability

-The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
+The **Create global objects** user right is required for a user account to create global file mapping and symbolic link objects. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.

 By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.

--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@ -41,7 +41,6 @@
      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-Windows",
-      "ms.topic": "article",
      "feedback_system": "Standard",
            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
@ -52,10 +51,10 @@
      },
      "titleSuffix": "What's new in Windows",
      "contributors_to_exclude": [
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
+        "rjagiewich",
+        "traya1",
+        "rmca14",
+        "claydetels19",
        "jborsecnik",
        "tiburd",
        "garycentric",