Merge branch 'master' into nimishasatapathy-5595104-updatepolicy

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 12/03/2021
+ms.date: 01/03/2022
 ms.reviewer:
 manager: dansimp
 ms.collection: highpri
@@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th
 To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
 The following steps demonstrate required settings using the Intune service:
 
-1. Verify that the user who is going to enroll the device has a valid Intune license.
+1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license.
 
    :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
     ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 

windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 12/02/2020
+ms.date: 01/03/2022
 ms.reviewer: 
 manager: dansimp
 ---
@@ -3693,6 +3693,8 @@ ADMX Info:
 <!--Description-->
 This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
 
+We do not recommend setting the value to less than 2 days to prevent machines from going out of date.
+
 If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
 
 If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.

windows/client-management/mdm/policy-csp-notifications.md

@@ -31,6 +31,9 @@ manager: dansimp
   <dd>
     <a href="#notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
   </dd>
+  <dd>
+    <a href="#notifications-wnsendpoint">Notifications/WnsEndpoint</a>
+  </dd>
 </dl>
 
 
@@ -208,5 +211,77 @@ Validation:
 <!--/Policy-->
 <hr/>
 
+<!--Policy-->
+<a href="" id="notifications-wnsendpoint"></a>**Notifications/WnsEndpoint**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. 
+
+If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
+
+Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint*
+-   GP name: *WnsEndpoint*
+-   GP path: *Start Menu and Taskbar/Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+If the policy is not specified, we will default our connection to client.wns.windows.com.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+<hr/>
+
 
 <!--/Policies-->

windows/client-management/mdm/policy-csp-settings.md

@@ -29,6 +29,9 @@ manager: dansimp
   <dd>
     <a href="#settings-allowdatetime">Settings/AllowDateTime</a>
   </dd>
+  <dd>
+    <a href="#settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
+  </dd>
   <dd>
     <a href="#settings-allowlanguage">Settings/AllowLanguage</a>
   </dd>
@@ -191,6 +194,68 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy disables edit device name option on Settings.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+Describes what value are supported in by this policy and meaning of each value, default value.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**  
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -31,7 +31,7 @@ ms.technology: privacy
 
 This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
 
-Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
 
 > [!IMPORTANT]
 > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.

windows/security/threat-protection/auditing/event-4625.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: dansimp
-ms.date: 09/07/2021
+ms.date: 01/03/2022
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -23,7 +23,7 @@ ms.technology: windows-sec
 
 ***Event Description:***
 
-This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+This event is logged for any logon failure.
 
 It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
 

windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 01/03/2022
 ms.technology: windows-sec
 ---
 
@@ -34,14 +34,14 @@ When devices are configured to accept authentication requests by using online ID
 > [!NOTE]
 > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
  
-This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
+This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
 
 ### Possible values
 
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
     > [!NOTE]
-    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
+    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 
@@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis
 
 ### Best practices
 
-Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate.
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments.
 
 ### Location
 
@@ -66,7 +66,8 @@ The following table lists the effective default values for this policy. Default
 | Stand-alone server default settings | Not defined| 
 | Domain controller effective default settings | Disabled| 
 | Member server effective default settings | Disabled| 
-| Effective GPO default settings on client computers | Disabled| 
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled| 
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| 
  
 ## Security considerations