Merge branch 'master' into nimishasatapathy-5709552-GPenglish

windows/client-management/connect-to-remote-aadj-pc.md

@@ -9,7 +9,7 @@ ms.pagetype: devices
 author: dansimp
 ms.localizationpriority: medium
 ms.author: dansimp
-ms.date: 09/14/2021
+ms.date: 01/18/2022
 ms.reviewer: 
 manager: dansimp
 ms.topic: article
@@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
         ```
         where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
 
-        This command only works for AADJ device users already added to any of the local groups (administrators).
+        In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
-        Otherwise this command throws the below error. For example:
         - for cloud only user: "There is no such global user or group : *name*"
         - for synced user: "There is no such global user or group : *name*" </br>
 
@@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
 
       - Adding users using policy
      
-         Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+         Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
 
          > [!TIP]
          > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

windows/client-management/mdm/configuration-service-provider-reference.md

@@ -1135,6 +1135,7 @@ The following list shows the CSPs supported in HoloLens devices:
 -   [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
 -   [Firewall-CSP](firewall-csp.md) 
 -   [HealthAttestation CSP](healthattestation-csp.md)
+-   [NetworkProxy CSP](networkproxy-csp.md)
 -   [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
 -   [NodeCache CSP](nodecache-csp.md)
 -   [PassportForWork CSP](passportforwork-csp.md)

windows/client-management/mdm/policy-csp-update.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 01/10/2022
+ms.date: 01/11/2022
 ms.reviewer: 
 manager: dansimp
 ms.collection: highpri
@@ -427,8 +427,8 @@ ADMX Info:
 The following list shows the supported values:
 
 - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
--   1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
+- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.
--   2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
+- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. Automatic restarting when a device is not being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart.
 - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
 - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
 - 5 – Turn off automatic updates.
@@ -536,9 +536,17 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
--   0 – Not allowed or not configured.
+- 0 – Not configured.
 - 1 – Allowed. Accepts updates received through Microsoft Update.
 
+> [!NOTE]
+> Setting this policy back to **0** or **Not configured** does not revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
+
+```
+$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
+$MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")
+```
+
 <!--/SupportedValues-->
 <!--/Policy-->
 
@@ -570,11 +578,11 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
+Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
 
 Supported operations are Get and Replace.
 
-This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
 
 <!--/Description-->
 <!--SupportedValues-->
@@ -673,18 +681,18 @@ For Quality Updates, this policy specifies the deadline in days before automatic
 
 The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
 
-Value type is integer. Default is 7 days. 
+Value type is integer. Default is seven days. 
 
 Supported values range: 2-30.
 
-Note that the PC must restart for certain updates to take effect.
+The PC must restart for certain updates to take effect.
 
 If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled.
 
 If you disable or do not configure this policy, the PC will restart according to the default schedule.
 
 If any of the following two policies are enabled, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations.
+1. No autorestart with logged on users for scheduled automatic updates installations.
 2. Always automatically restart at scheduled time.
 
 <!--/Description-->
@@ -742,7 +750,7 @@ If you enable this policy, a restart will automatically occur the specified numb
 If you disable or do not configure this policy, the PC will restart according to the default schedule.
 
 If any of the following two policies are enabled, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations.
+1. No autorestart with logged on users for scheduled automatic updates installations.
 2. Always automatically restart at scheduled time.
 
 <!--/Description-->
@@ -785,7 +793,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT Admin to specify the period for auto-restart reminder notifications.
+Allows the IT Admin to specify the period for autorestart reminder notifications.
 
 The default value is 15 (minutes).
 
@@ -833,7 +841,7 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+Allows the IT Admin to specify the method by which the autorestart required notification is dismissed.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -887,7 +895,7 @@ This policy setting allows you to configure if Automatic Maintenance should make
 > [!Note]
 > If the OS power wake policy is explicitly disabled, then this setting has no effect.
 
-If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required.
+If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary.
 
 If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies.
 <!--/Description-->
@@ -1004,7 +1012,7 @@ ADMX Info:
 
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
 
 Default value is 7.
 <!--/SupportedValues-->
@@ -1056,7 +1064,7 @@ ADMX Info:
 
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
 
 Default value is 7.
 <!--/SupportedValues-->
@@ -1207,7 +1215,7 @@ When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredead
 
 When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline.
 
-<same ADMX info and rest of description>
+<!---same ADMX info and rest of description>
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -1388,7 +1396,7 @@ ADMX Info:
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
 
 
-Allows IT Admins to specify update delays for up to 4 weeks.
+Allows IT Admins to specify update delays for up to four weeks.
 
 Supported values are 0-4, which refers to the number of weeks to defer updates.
 
@@ -1397,14 +1405,14 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
 If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
 
 OS upgrade:
-- Maximum deferral: 8 months
+- Maximum deferral: Eight months
-- Deferral increment: 1 month
+- Deferral increment: One month
 - Update type/notes:
   - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
 
 Update:
-- Maximum deferral: 1 month
+- Maximum deferral: One month
-- Deferral increment: 1 week
+- Deferral increment: One week
 - Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:
   
   - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
@@ -1466,7 +1474,7 @@ ADMX Info:
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
 
 
-Allows IT Admins to specify additional upgrade delays for up to 8 months.
+Allows IT Admins to specify other upgrade delays for up to eight months.
 
 Supported values are 0-8, which refers to the number of months to defer upgrades.
 
@@ -1512,7 +1520,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. 
+Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. 
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1558,7 +1566,7 @@ Do not allow update deferral policies to cause scans against Windows Update. If
 
 For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607).
 
-This is the same as the Group Policy in Windows Components > Windows Update "Do not allow update deferral policies to cause scans against Windows Update."
+This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update."
 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 
@@ -1669,7 +1677,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-To ensure the highest levels of security, we recommended leveraging WSUS TLS certificate pinning on all devices. 
+To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. 
 
 By default, certificate pinning for Windows Update client is not enforced. 
 
@@ -1719,7 +1727,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
 
 The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
 
@@ -1730,14 +1738,14 @@ Value type is integer. Default is 14.
 
 Supported value range: 2 - 30.
 
-If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
+If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling).
 
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1779,20 +1787,20 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
 
 Value type is integer. Default is 14.
 
-Supported value range: 2 - 30.
+Supported value range: 2-30.
 
-If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
+If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling).
 
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1834,18 +1842,18 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
+For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
 
-Value type is integer. Default is 3 days.
+Value type is integer. Default is three days.
 
-Supported value range: 1 - 3.
+Supported value range: 1-3.
 
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1887,18 +1895,18 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
+For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
 
-Value type is integer. Default is 3 days.
+Value type is integer. Default is three days.
 
-Supported value range: 1 - 3.
+Supported value range: 1-3.
 
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1949,9 +1957,9 @@ Supported value range: 2 - 30.
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1995,16 +2003,16 @@ ADMX Info:
 <!--Description-->
 For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
 
-Value type is integer. Default value is 7 days.
+Value type is integer. Default value is seven days.
 
-Supported value range: 2 - 30.
+Supported value range: 2-30.
 
 If you disable or do not configure this policy, the default behaviors will be used.
 
 If any of the following policies are configured, this policy has no effect:
-1. No auto-restart with logged on users for scheduled automatic updates installations
+1. No autorestart with logged on users for scheduled automatic updates installations
 2. Always automatically restart at scheduled time
-3. Specify deadline before auto-restart for update installation
+3. Specify deadline before autorestart for update installation
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -2307,7 +2315,7 @@ The following list shows the supported values:
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
 
 
-Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
+Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
 
 
 If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
@@ -2670,7 +2678,7 @@ The following list shows the supported values:
 > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
 
 
-Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
 
 Supported operations are Get and Replace.
 
@@ -2712,7 +2720,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+Allows the IT Admin to specify the period for autorestart imminent warning notifications.
 
 The default value is 15 (minutes).
 
@@ -2764,7 +2772,7 @@ Supported values are 15, 30, or 60 (minutes).
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
 
 
-Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+Allows the IT Admin to specify the period for autorestart warning reminder notifications.
 
 The default value is 4 (hours).
 
@@ -2814,7 +2822,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
 <!--Description-->
 Enables the IT admin to schedule the day of the update installation.
 
-The data type is a integer.
+The data type is an integer.
 
 Supported operations are Add, Delete, Get, and Replace.
 
@@ -2871,7 +2879,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+Enables the IT admin to schedule the update installation on every week. Value type is integer. Supported values:
 <ul>
 <li>0 - no update in the schedule</li>
 <li>1 - update is scheduled every week</li>
@@ -3107,7 +3115,7 @@ ADMX Info:
 
 Enables the IT admin to schedule the time of the update installation.
 
-The data type is a integer.
+The data type is an integer.
 
 Supported operations are Add, Delete, Get, and Replace.
 
@@ -3155,7 +3163,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT Admin to disable auto-restart notifications for update installations.
+Allows the IT Admin to disable autorestart notifications for update installations.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -3338,7 +3346,7 @@ The following list shows the supported values:
 <!--Description-->
 Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. 
 
-If you configure this policy, please also configure the scan source policies for other update types:
+If you configure this policy, also configure the scan source policies for other update types:
 - SetPolicyDrivenUpdateSourceForFeature
 - SetPolicyDrivenUpdateSourceForQuality
 - SetPolicyDrivenUpdateSourceForOther
@@ -3358,8 +3366,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
-- 0: (Default) Detect, download and deploy Driver from Windows Update 
+- 0: (Default) Detect, download, and deploy Driver from Windows Update 
-- 1: Enabled, Detect, download and deploy Driver from Windows Server Update Server (WSUS) 
+- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS) 
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -3394,7 +3402,7 @@ The following list shows the supported values:
 <!--Description-->
 Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. 
 
-If you configure this policy, please also configure the scan source policies for other update types:
+If you configure this policy, also configure the scan source policies for other update types:
 - SetPolicyDrivenUpdateSourceForQuality
 - SetPolicyDrivenUpdateSourceForDriver
 - SetPolicyDrivenUpdateSourceForOther
@@ -3414,8 +3422,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
-- 0: (Default) Detect, download and deploy Feature from Windows Update 
+- 0: (Default) Detect, download, and deploy Feature from Windows Update 
-- 1: Enabled, Detect, download and deploy Feature from Windows Server Update Server (WSUS) 
+- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS) 
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -3450,7 +3458,7 @@ The following list shows the supported values:
 <!--Description-->
 Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. 
 
-If you configure this policy, please also configure the scan source policies for other update types:
+If you configure this policy, also configure the scan source policies for other update types:
 - SetPolicyDrivenUpdateSourceForFeature
 - SetPolicyDrivenUpdateSourceForQuality
 - SetPolicyDrivenUpdateSourceForDriver
@@ -3470,8 +3478,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
-- 0: (Default) Detect, download and deploy Other from Windows Update 
+- 0: (Default) Detect, download, and deploy Other from Windows Update 
-- 1: Enabled, Detect, download and deploy Other from Windows Server Update Server (WSUS) 
+- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS) 
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -3506,7 +3514,7 @@ The following list shows the supported values:
 <!--Description-->
 Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. 
 
-If you configure this policy, please also configure the scan source policies for other update types:
+If you configure this policy, also configure the scan source policies for other update types:
 - SetPolicyDrivenUpdateSourceForFeature
 - SetPolicyDrivenUpdateSourceForDriver
 - SetPolicyDrivenUpdateSourceForOther
@@ -3526,8 +3534,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
-- 0: (Default) Detect, download and deploy Quality from Windows Update 
+- 0: (Default) Detect, download, and deploy Quality from Windows Update 
-- 1: Enabled, Detect, download and deploy Quality from Windows Server Update Server (WSUS) 
+- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS) 
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -3560,9 +3568,9 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents.
+Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents.
 
-This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
+This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -3725,7 +3733,7 @@ ADMX Info:
 > [!IMPORTANT]
 > Starting in Windows 10, version 1703 this policy is not supported in IoT Mobile.
 
-Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
 
 Supported operations are Get and Replace.
 

windows/deployment/TOC.yml

@@ -167,6 +167,8 @@
               href: update/waas-manage-updates-wufb.md
             - name: Configure Windows Update for Business
               href: update/waas-configure-wufb.md
+            - name: Use Windows Update for Business and WSUS
+              href: update/wufb-wsus.md    
             - name: Windows Update for Business deployment service
               href: update/deployment-service-overview.md
               items:

windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md

@@ -257,6 +257,5 @@ When you have completed all the steps in this section to prepare for deployment,
 **Sample files**
 
 The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
-- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
 - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
 - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md

@@ -38,9 +38,6 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
 > [!NOTE]
 > Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
 
->[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-
 For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
 
 ## Configure Active Directory for BitLocker

windows/deployment/mbr-to-gpt.md

@@ -12,7 +12,7 @@ ms.author: greglin
 ms.date: 02/13/2018
 manager: dougeby
 ms.audience: itpro
-ms.localizationpriority: medium
+ms.localizationpriority: high
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri

windows/deployment/s-mode.md

@@ -3,7 +3,7 @@ title: Windows 10 Pro in S mode
 description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
 keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
 ms.mktglfcycl: deploy
-ms.localizationpriority: medium
+ms.localizationpriority: high
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy

windows/deployment/update/servicing-stack-updates.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
-ms.localizationpriority: medium
+ms.localizationpriority: high
 ms.author: jaimeo
 manager: dougeby
 ms.collection:

windows/deployment/update/waas-delivery-optimization-reference.md

@@ -118,10 +118,10 @@ Download mode dictates which download sources clients are allowed to use when do
 |Bypass (100) |	Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
 
 > [!NOTE]
-> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used.
+> Starting in Windows 11, the Bypass option of Download Mode is no longer used.
 
->[!NOTE]
+> [!NOTE]
->When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
+> When you use AAD tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
 
 ### Group ID
 
@@ -178,6 +178,9 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
 
 This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
 
+> [!NOTE]
+> This is the best option for low bandwidth environments.
+
 ### Maximum Foreground Download Bandwidth
 
 Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
@@ -190,6 +193,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download
 
 This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 
+> [!NOTE]
+> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
+
 ### Max Upload Bandwidth
 
 This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
@@ -205,6 +211,8 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 
 If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
 
+The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
+
 ### Delay background download from http (in secs)
 Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
 

windows/deployment/update/waas-delivery-optimization.md

@@ -40,6 +40,10 @@ For information about setting up Delivery Optimization, including tips for the b
 
 - New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
 - Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID).
+
+> [!NOTE]
+> The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](/windows/deployment/update/waas-delivery-optimization-reference).
+
 - Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
 
 ## Requirements

windows/deployment/update/windows-update-errors.md

@@ -124,7 +124,7 @@ The following table provides information about common errors you might run into
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
+| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
 
 ## 0x800F0920
 
@@ -136,13 +136,13 @@ The following table provides information about common errors you might run into
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
+| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. |
 
 ## 0x800f0831
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component  Store. | Repair the component store with **Dism RestoreHealth** or manually repair with   the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.  |
+| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component  Store. | Repair the component store with **Dism RestoreHealth** or manually repair with   the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.  |
 
 ## 0x80070005
 
@@ -154,7 +154,7 @@ The following table provides information about common errors you might run into
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.|
+| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device.|
 
 
 ## 0x80070003
@@ -180,7 +180,7 @@ The following table provides information about common errors you might run into
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | 
+| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:<br>*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH*<br>*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*<br>*Sfc /Scannow*<br> Restart the device. | 
 
 ## 0x80072EFE
 
@@ -198,7 +198,7 @@ The following table provides information about common errors you might run into
 
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> https://*.windowsupdate.microsoft.com <br> https://*.windowsupdate.microsoft.com <br> https://*.update.microsoft.com <br> https://*.update.microsoft.com <br> https://*.windowsupdate.com <br> https://download.windowsupdate.com <br> https://download.microsoft.com <br> https://*.download.windowsupdate.com <br> https://wustat.windows.com <br> https://ntservicepack.microsoft.com |
+| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> https://.windowsupdate.microsoft.com <br> https://update.microsoft.com <br> https://*.update.microsoft.com <br> https://windowsupdate.com <br> https://*.windowsupdate.com <br> https://download.windowsupdate.com <br> https://*.download.windowsupdate.com <br> https://download.microsoft.com <br> https://*.download.windowsupdate.com <br> https://wustat.windows.com <br> https://*.wustat.windows.com <br> https://ntservicepack.microsoft.com |
 
 ## 0x80240022
 

windows/deployment/update/wufb-wsus.md

@@ -0,0 +1,78 @@
+---
+title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
+description:  Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+author: arcarley
+ms.localizationpriority: medium
+audience: itpro
+ms.author: arcarley
+ms.collection:
+  - m365initiative-coredeploy
+  - highpri
+manager: dougeby
+ms.topic: article
+---
+
+# Use Windows Update for Business and WSUS together
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
+
+We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
+
+> [!IMPORTANT]
+> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update.
+
+## About the scan source policy
+
+The specify scan source policy enables you to specify whether your device gets the following Windows update types form WSUS **or** from Windows Update:
+
+- Feature updates
+- Windows quality updates
+- Driver and firmware updates
+- Updates for other Microsoft products
+
+We recommend using this policy on your transition from fully on-premises managed environment to a cloud supported one. Whether you move only drivers to the cloud today or drivers and quality updates and then later move your other workloads, taking a step-by-step approach might ease the transition.
+
+## Default scan behavior
+
+To help you better understand the scan source policy, see the default scan behavior below and how we can change it:
+
+- If no policies are configured: All of your updates will come from Windows Update.
+- If you configure only the WSUS server policy:
+
+  - On Windows 10: All of your updates will come from WSUS.
+  - On Windows 11: All of your updates will still come from Windows Update unless you configure the specify scan source policy.
+
+- If you configure a WSUS server and deferral policies: All of your updates will come from Windows Update unless you specify the scan source policy.
+- If you configure a WSUS server and the scan source policy: All of your updates will come from the source chosen in the scan source policy.
+
+> [!TIP]
+> The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options.
+
+## Configure the scan sources
+
+The policy can be configured using the following two methods:
+
+1. Group Policy: Specify source service for specific classes of Windows Updates
+
+   - Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\
+
+   :::image type="content" source="media/specify-update-type-sources.png" alt-text="Screenshot of the Group Policy for specifiying sources for update types":::
+
+2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor<Update Type>**:
+
+> [!NOTE]
+> You should configure **all** of these policies if you are using CSPs.
+
+- [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
+- [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
+- [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
+- [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)

windows/deployment/upgrade/resolution-procedures.md

@@ -45,7 +45,7 @@ See the following general troubleshooting procedures associated with a result co
 | :---     |  :---  |  :--- |
 | 0xC1900101 - 0x20004   | Uninstall antivirus applications.<br>Remove all unused SATA devices. <br>Remove all unused devices and drivers. <br>Update drivers and BIOS.     | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation. <br>This is generally caused by out-of-date drivers.    |
 | 0xC1900101 - 0x2000c     | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br> Contact your hardware vendor to obtain updated device drivers.<br> Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.       | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.<br> This is generally caused by out-of-date drivers      |
-| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. |
+| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.<br>This can also be caused by a hardware failure. |
 | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Contact your hardware vendor to obtain updated device drivers.<br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
 | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.<br>This can occur due to a problem with a display driver. |
 | 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.<br>Review the rollback log and determine the stop code.<br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder.  An example analysis is shown below. This example is not representative of all cases:<br>&nbsp;<br>Info SP     Crash 0x0000007E detected<br>Info SP       Module name           :<br>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005<br>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A<br>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728<br>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40<br>Info SP     Cannot recover the system.<br>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.<br>&nbsp;<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>&nbsp;<br>1. Make sure you have enough disk space.<br>2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>3. Try changing video adapters.<br>4. Check with your hardware vendor for any BIOS updates.<br>5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This can occur because of incompatible drivers. |
@@ -93,7 +93,7 @@ See the following general troubleshooting procedures associated with a result co
 | Error Codes | Cause | Mitigation |
 | --- | --- | --- |
 |0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
-|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
+|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
 |0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
 |0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
 |0xC1900200 - 0x20008|The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.<p>Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|

windows/deployment/vda-subscription-activation.md

@@ -153,4 +153,4 @@ To create custom RDP settings for Azure:
 
 [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
 <BR>[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
-<BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
+<BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)

windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md

@@ -13,25 +13,27 @@ ms.pagetype: activation
 audience: itpro
 author: greg-lindsay
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 01/13/2022
 ms.topic: article
 ms.collection: highpri
 ---
 
 # Activate using Active Directory-based activation
 
-> Applies to
+**Applies to**
->
+
->- Windows 10
+Windows 11
->- Windows 8.1
+Windows 10
->- Windows 8
+Windows 8.1
->- Windows Server 2012 R2
+Windows 8
->- Windows Server 2012
+Windows Server 2012 R2
->- Windows Server 2016
+Windows Server 2012
->- Windows Server 2019
+Windows Server 2016
->- Office 2013*
+Windows Server 2019
->- Office 2016*
+Office 2021*
->- Office 2019*
+Office 2019*
+Office 2016*
+Office 2013*
 
 **Looking for retail activation?**
 
@@ -109,7 +111,8 @@ When a reactivation event occurs, the client queries AD DS for the activation o
     **Figure 15**. Choosing how to activate your product
 
     > [!NOTE]
-    > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
+    > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
+
     > 
     > 
     > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
@@ -117,6 +120,8 @@ When a reactivation event occurs, the client queries AD DS for the activation o
     > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
     >
     > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
+    >
+    > - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
 
 8. After activating the key, click **Commit**, and then click **Close**.
 

windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md

@@ -162,7 +162,7 @@ After you download this file, the name will be extremely long (ex: 19042.508.200
 The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
 
 ```powershell
-(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
 ```
 
 The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
@@ -178,10 +178,10 @@ All VM data will be created under the current path in your PowerShell prompt. Co
 >
 >- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
 >- If you have never created an external VM switch before, then just run the commands below.
->- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
+>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
 
 ```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
 New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
 Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
 Start-VM -VMName WindowsAutopilot
@@ -238,7 +238,6 @@ PS C:\autopilot>
 
 Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
 
-
    ![Windows setup example 1](images/winsetup1.png)
 
    ![Windows setup example 2](images/winsetup2.png)
@@ -251,7 +250,6 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
 
    ![Windows setup example 6](images/winsetup6.png)
 
-
 After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This offers the fastest way to the desktop. For example:
 
    ![Windows setup example 7.](images/winsetup7.png)
@@ -279,12 +277,12 @@ Follow these steps to run the PowerShell script:
 1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
 
     ```powershell
-    md c:\HWID
+    New-Item -Type Directory -Path "C:\HWID"
-    Set-Location c:\HWID
+    Set-Location C:\HWID
-    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
     Install-Script -Name Get-WindowsAutopilotInfo -Force
     $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-    Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+    Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
     ```
 
 1. When you're prompted to install the NuGet package, choose **Yes**.
@@ -349,7 +347,7 @@ Follow these steps to run the PowerShell script:
 With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
 
 On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**.
+Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
 
 ![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
 

windows/security/information-protection/tpm/change-the-tpm-owner-password.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 12/03/2021
+ms.date: 01/18/2022
 ---
 
 # Change the TPM owner password
@@ -46,7 +46,7 @@ Instead of changing your owner password, you can also use the following options
 
 ## Change the TPM owner password
 
-With Windows 10, version 1507 or 1511, or Windows 11, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
+With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
 
 To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
 

windows/security/threat-protection/auditing/audit-registry.md

@@ -48,6 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun
 
 
 > [!NOTE]
-> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
+> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
 >
 > Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. 

windows/security/threat-protection/auditing/event-4673.md

@@ -173,7 +173,7 @@ For 4673(S, F): A privileged service was called.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
+-   Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details.
 
 -   If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
 

windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 01/05/2022
 ms.technology: windows-sec
 ---
 
@@ -43,6 +43,9 @@ Although it might be appropriate in some organizations to allow users to install
 
 -   It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.
 
+> [!NOTE]
+> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. 
+
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options

windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 01/18/2022
 ms.technology: windows-sec
 ---
 
@@ -27,7 +27,7 @@ ms.technology: windows-sec
 
 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
 
-Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/sir/default.aspx).
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report).
 
 Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
 

windows/whats-new/windows-11-prepare.md

@@ -18,6 +18,7 @@ ms.collection: highpri
 **Applies to**
 
 -   Windows 11
+-   Windows 10
 
 Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.