diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 22682ba572..3b55ade168 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -23,7 +23,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## June 2023
-### June feature release
+### June feature releases or updates
| Article | Description |
| ----- | ----- |
@@ -31,15 +31,16 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated [deadline link](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#behavior-during-updates) |
| [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md) | Updated the [Update policies](../references/windows-autopatch-microsoft-365-policies.md#update-policies) section |
-## June service release
+### June service releases
| Message center post number | Description |
| ----- | ----- |
+| [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update |
| [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests |
## May 2023
-### May feature release
+### May feature releases or updates
| Article | Description |
| ----- | ----- |
@@ -67,7 +68,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview |
| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview |
-## May service release
+### May service releases
| Message center post number | Description |
| ----- | ----- |
@@ -81,7 +82,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| ----- | ----- |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section |
-### April service release
+### April service releases
| Message center post number | Description |
| ----- | ----- |
@@ -99,7 +100,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | - Added support for subscription versions of Microsoft Project and Visio desktop apps
- Updated device eligibility criteria
- Clarified update controls
|
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview- [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)
|
-### March service release
+### March service releases
| Message center post number | Description |
| ----- | ----- |
@@ -123,7 +124,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |- Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section
- Added more information about assigning less-privileged user accounts
|
-### February service release
+### February service releases
| Message center post number | Description |
| ----- | ----- |
@@ -142,7 +143,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment |
| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
-### January service release
+### January service releases
| Message center post number | Description |
| ----- | ----- |
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index c4756bf8de..17cd1c6c1d 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -368,21 +368,12 @@ If you don’t sign up for any of these enterprise services, Microsoft will act
> - Windows 10, versions 1809, 1903, 1909, and 2004.
> - Newer versions of Windows 10 and Windows 11 that have not updated yet to at least the January 2023 preview cumulative update.
-Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution.
+To enable Windows diagnostic data processor configuration, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
-In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
+- For Group Policy, you can use the “Allow commercial data pipeline” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
+- For an MDM solution, you can use the AllowCommercialDataPipeline setting in the System Policy configuration service provider (CSP).
-If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
-
-To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration:
-
- - **Name:** System/AllowCommercialDataPipeline
- - **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- - **Data type:** Integer
-
-Under **Value**, use **1** to enable the service.
-
-If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**.
+For more information about AllowCommercialDataPipeline and the “Allow commercial data pipeline” policy, [review this information](/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline).
## Change privacy settings on a single server
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f83a2778dc..ab319962f8 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1916,9 +1916,13 @@ Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACH
Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
-You can turn off Widgets by setting the following registry entries:
+To turn off Widgets, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
+
+- For Group Policy, you can use the “Allow widgets” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
+- For an MDM solution, you can use the AllowNewsAndInterests setting in the NewsandInterests configuration service provider (CSP).
+
+For more information about AllowNewsAndInterests and the “Allow widgets” policy, [review this information](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests).
-Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 08924b2594..cfcd88f924 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -124,6 +124,15 @@ sections:
- question: What is Event ID 300?
answer: |
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
+ - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
+ answer: |
+ The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
+
+ If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: **You've entered an incorrect PIN several times. To try again, enter A1B2C3 below**.
+ Upon entering the challenge phrase *A1B2C3*, the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the only option to reboot the device. Following the reboot, the aforementioned pattern repeats.
+
+ If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature.
+ For more information about the TPM anti-hammering feature, see [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering).
- name: Design and planning
questions:
@@ -165,7 +174,7 @@ sections:
answer: |
A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
- If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
+ If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
@@ -176,12 +185,12 @@ sections:
- question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
answer: |
No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
- - question: Is Windows Hello for Business considered multi-factor authentication?
+ - question: Is Windows Hello for Business considered multifactor authentication?
answer: |
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
- > The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
+ > The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@@ -216,7 +225,7 @@ sections:
Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
- You can use *multi-factor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
+ You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- name: Cloud Kerberos trust
questions: