From 9fb4ad33635471826df9db468b1a3900f37576ea Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 29 Mar 2023 09:44:45 -0700
Subject: [PATCH 01/20] wufbr perms MAXADO-7738226

---
 .../wufb-reports-admin-center-permissions.md   | 18 ++++++++++--------
 .../update/wufb-reports-admin-center.md        |  7 ++++---
 .../update/wufb-reports-prerequisites.md       |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b132951a59..05d3a799e1 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -5,25 +5,27 @@ manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
-ms.date: 03/15/2023
+ms.date: 03/29/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
 
+**Roles for enrolling into Windows Update for Business reports**
+
 To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
 
 - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
 - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
-   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
-   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
 
-To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
-  - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+**Roles for reading Windows Update for Business reports**:
 
-**Log Analytics permissions**:
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
 
-The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
 - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access to the Log Analytics workspace is needed
+
+> [!IMPORTANT]
+> - At minimum, the Log Analytics Reader role (or equivalent permissions) need to be assigned to all of the above enrollment roles because they don't have the permissions by default.
+> - Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 0ba338dd97..dc316fec52 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -7,7 +7,7 @@ author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
-ms.date: 11/15/2022
+ms.date: 03/29/2023
 ms.technology: itpro-updates
 ---
 
@@ -27,11 +27,12 @@ The **Software updates** page has following tabs to assist you in monitoring upd
 
 ## Permissions
 
+> [!NOTE]
+> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
+
 <!--Using include Microsoft 365 admin center permissions-->
 [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
 
-> [!NOTE]
-> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
 
 ## Limitations
 
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index fa6514d687..b2b565908f 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
-ms.date: 03/15/2023
+ms.date: 03/29/2023
 ms.technology: itpro-updates
 ---
 

From fad891daf9ac8250fe21d9898efa524a08faa53a Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 29 Mar 2023 12:04:11 -0700
Subject: [PATCH 02/20] wufbr perms MAXADO-7738226

---
 .../wufb-reports-admin-center-permissions.md       | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 05d3a799e1..b54639dfe6 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -10,22 +10,24 @@ ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
 
-**Roles for enrolling into Windows Update for Business reports**
+**Enrolling into Windows Update for Business reports**
 
-To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
+To enroll into Windows Update for Business reports from the [Azure portal](portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
 - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
 - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
 
-**Roles for reading Windows Update for Business reports**:
+> [!IMPORTANT]
+> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.
+
+**Read Windows Update for Business reports data**:
 
 The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
 
 - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access to the Log Analytics workspace is needed
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access is needed
 
 > [!IMPORTANT]
-> - At minimum, the Log Analytics Reader role (or equivalent permissions) need to be assigned to all of the above enrollment roles because they don't have the permissions by default.
-> - Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
+> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. 

From 7adde9753711797a058f8dddcaa7bc43676f4084 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Mar 2023 09:49:32 -0700
Subject: [PATCH 03/20] edits

---
 .../includes/wufb-reports-admin-center-permissions.md       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b54639dfe6..8e4d1fe6ba 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 
 **Enrolling into Windows Update for Business reports**
 
-To enroll into Windows Update for Business reports from the [Azure portal](portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
 - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
@@ -27,7 +27,7 @@ To enroll into Windows Update for Business reports from the [Azure portal](porta
 The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
 
 - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access is needed
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
 
 > [!IMPORTANT]
-> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. 
+> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. For more information, see [Admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles). 

From 7e20af4408da9a4827348fa718a6bf866c0b330c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 3 Apr 2023 14:50:07 -0700
Subject: [PATCH 04/20] perms

---
 .../update/includes/wufb-reports-admin-center-permissions.md   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8e4d1fe6ba..ac7d452c55 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -14,10 +14,11 @@ ms.localizationpriority: medium
 
 To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
-- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
 - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
+- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) 
 
 > [!IMPORTANT]
 > At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.

From 907411b4858501831e4d56b45930d89424a27ba5 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 3 Apr 2023 15:02:52 -0700
Subject: [PATCH 05/20] perms

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ac7d452c55..bb8b7715f7 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -21,7 +21,7 @@ To enroll into Windows Update for Business reports from the [Azure portal](https
 - [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) 
 
 > [!IMPORTANT]
-> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.
+> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user as well. All of the above roles don't have the permissions to actually read the Windows Update for Business reports data by default.
 
 **Read Windows Update for Business reports data**:
 

From 4d15fe3a6ef9a66a131b3a08da93d853be0afa12 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 13:54:43 -0700
Subject: [PATCH 06/20] reorg data

---
 .../wufb-reports-admin-center-permissions.md  | 33 ++++++++++++-------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index bb8b7715f7..ed7581e9ca 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,26 +9,35 @@ ms.date: 03/29/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources. 
 
-**Enrolling into Windows Update for Business reports**
+- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
+- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain roles access to sign in
+
+**Roles that allow enrollment into Windows Update for Business reports**
 
 To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
-- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
-- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
-- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
-- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) 
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
+- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
+  - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
 
-> [!IMPORTANT]
-> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user as well. All of the above roles don't have the permissions to actually read the Windows Update for Business reports data by default.
-
-**Read Windows Update for Business reports data**:
+**Azure roles that allow access to the Log Analytics workspace Windows Update for Business reports data**
 
 The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
 
 - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
 - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
 
-> [!IMPORTANT]
-> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. For more information, see [Admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles). 
+Examples of commonly assigned roles for Windows Update for Business reports users:
+
+| Roles | Enroll though workbook | Enroll through admin center | Read data workbook | Display admin center | Create Log Analytics workspace |
+| --- | --- | --- | --- | --- | --- |
+| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
+| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
+| Policy and profile manager + Log Analytics reader | Yes | No | Yes | No | No |
+| Log Analytics reader | No | No | Yes | No | No|
+| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |  

From da5178b284e7161c2591d424ea85beb02dce98e5 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 13:58:20 -0700
Subject: [PATCH 07/20] reorg data

---
 windows/deployment/update/wufb-reports-admin-center.md  | 1 -
 windows/deployment/update/wufb-reports-prerequisites.md | 1 -
 2 files changed, 2 deletions(-)

diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index dc316fec52..cf45ebae7c 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -33,7 +33,6 @@ The **Software updates** page has following tabs to assist you in monitoring upd
 <!--Using include Microsoft 365 admin center permissions-->
 [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
 
-
 ## Limitations
 
 Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index b2b565908f..6e179ad957 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -25,7 +25,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
 - The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
 - Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
 
-
 ## Permissions
 
 [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]

From 423dd6d8dfbc58662c8b108e85ca2f8e0636b8ae Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:01:18 -0700
Subject: [PATCH 08/20] reorg data

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ed7581e9ca..8babdb3b2e 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -13,7 +13,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
 
 - [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
-- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain roles access to sign in
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
 
 **Roles that allow enrollment into Windows Update for Business reports**
 

From 8e5146662bb4cf6a342e3f756d27e02dc0e8031c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:02:54 -0700
Subject: [PATCH 09/20] reorg data

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8babdb3b2e..ec8c548368 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,7 +9,7 @@ ms.date: 03/29/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
-Accessing Windows Update for Business reports typcially requires permissions from multiple sources. 
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources including: 
 
 - [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace

From c954b5de54ae29d2bb5f222de4ed60388962a891 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:53:21 -0700
Subject: [PATCH 10/20] reorg data

---
 .../wufb-reports-admin-center-permissions.md        | 13 ++++++++-----
 .../deployment/update/wufb-reports-admin-center.md  | 10 ++--------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ec8c548368..c8d9549c99 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -15,7 +15,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
 - [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
 
-**Roles that allow enrollment into Windows Update for Business reports**
+**Roles that can enroll into Windows Update for Business reports**
 
 To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
@@ -25,19 +25,22 @@ To enroll into Windows Update for Business reports from the [Azure portal](https
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
   - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
 
-**Azure roles that allow access to the Log Analytics workspace Windows Update for Business reports data**
+**Azure roles that allow access to the Log Analytics workspace**
 
-The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
 
 - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
 - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
 
 Examples of commonly assigned roles for Windows Update for Business reports users:
 
-| Roles | Enroll though workbook | Enroll through admin center | Read data workbook | Display admin center | Create Log Analytics workspace |
+| Roles | Enroll though the [workbook](wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
 | --- | --- | --- | --- | --- | --- |
 | Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
 | Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
-| Policy and profile manager + Log Analytics reader | Yes | No | Yes | No | No |
+| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No |
 | Log Analytics reader | No | No | Yes | No | No|
 | [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |  
+
+> [!NOTE]
+> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index cf45ebae7c..ae429a6271 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -25,20 +25,14 @@ The **Software updates** page has following tabs to assist you in monitoring upd
 
   :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png":::
 
-## Permissions
-
-> [!NOTE]
-> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
-
-<!--Using include Microsoft 365 admin center permissions-->
-[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
-
 ## Limitations
 
 Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
 
 ## Get started
 
+After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisistes.md) for Windows Update for Business reports, enroll using the instructions below if needed: 
+
 <!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->
 [!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]
 

From e41d136b72885a15b07a092749ffe68fb9c16739 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:03:28 -0700
Subject: [PATCH 11/20] fix links

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 windows/deployment/update/wufb-reports-admin-center.md          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index c8d9549c99..29941791b6 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -34,7 +34,7 @@ The data for Windows Update for Business reports is routed to a Log Analytics wo
 
 Examples of commonly assigned roles for Windows Update for Business reports users:
 
-| Roles | Enroll though the [workbook](wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
+| Roles | Enroll though the [workbook](../wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
 | --- | --- | --- | --- | --- | --- |
 | Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
 | Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index ae429a6271..68161072ed 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -31,7 +31,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us
 
 ## Get started
 
-After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisistes.md) for Windows Update for Business reports, enroll using the instructions below if needed: 
+After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed: 
 
 <!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->
 [!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]

From abb8e0281110620a890dba4c25c0c908b6edf956 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:04:14 -0700
Subject: [PATCH 12/20] fix links

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 29941791b6..8c21fa2340 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,7 +9,7 @@ ms.date: 03/29/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
-Accessing Windows Update for Business reports typcially requires permissions from multiple sources including: 
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
 
 - [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace

From cf25521a69f08c52f767e543f0fd91acbe7813ba Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:10:12 -0700
Subject: [PATCH 13/20] fix links

---
 .../update/includes/wufb-reports-admin-center-permissions.md  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8c21fa2340..c1eb23d550 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -17,7 +17,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
 
 **Roles that can enroll into Windows Update for Business reports**
 
-To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To [enroll](../bkmk_enroll.md) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
 - [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
@@ -34,7 +34,7 @@ The data for Windows Update for Business reports is routed to a Log Analytics wo
 
 Examples of commonly assigned roles for Windows Update for Business reports users:
 
-| Roles | Enroll though the [workbook](../wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
+| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
 | --- | --- | --- | --- | --- | --- |
 | Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
 | Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |

From 001afa4d7f51e2a06ee3a2b5e12d7a9ed2c00943 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 24 Apr 2023 18:51:48 -0400
Subject: [PATCH 14/20] update to error codes

---
 .../hello-errors-during-pin-creation.md       | 31 +++++++------------
 1 file changed, 11 insertions(+), 20 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 23537daa14..e63b129275 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
 title: Windows Hello errors during PIN creation
 description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
 ms.topic: troubleshooting
-ms.date: 03/31/2023
+ms.date: 04/24/2023
 ---
 
 # Windows Hello errors during PIN creation
@@ -22,7 +22,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 1. Try to create the PIN again. Some errors are transient and resolve themselves.
 2. Sign out, sign in, and try to create the PIN again.
 3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**.
+4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
 
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
@@ -31,21 +31,21 @@ If the error occurs again, check the error code against the following table to s
 | 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Azure AD and rejoin. |
 | 0x8009000F | The container or key already exists.                               | Unjoin the device from Azure AD and rejoin. |
 | 0x80090011 | The container or key was not found.                                | Unjoin the device from Azure AD and rejoin. |
-| 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
+| 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
 | 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
 | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
 | 0x80090035 | Policy requires TPM and the device does not have TPM.              | Change the Windows Hello for Business policy to not require a TPM. |
 | 0x80090036 | User canceled an interactive dialog.                               | User will be asked to try again. |
 | 0x801C0003 | User is not authorized to enroll.                                  | Check if the user has permission to perform the operation​. |
-| 0x801C000E | Registration quota reached.                                        | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
+| 0x801C000E | Registration quota reached.                                        | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
 | 0x801C000F | Operation successful, but the device requires a reboot.            | Reboot the device.               |
 | 0x801C0010 | The AIK certificate is not valid or trusted.                       | Sign out and then sign in again. |
 | 0x801C0011 | The attestation statement of the transport key is invalid.         | Sign out and then sign in again. |
 | 0x801C0012 | Discovery request is not in a valid format.                        | Sign out and then sign in again. |
-| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. |
-| 0x801C0016 | The federation provider configuration is empty                     | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
-| 0x801C0017 | ​The federation provider domain is empty                            | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
-| 0x801C0018 | The federation provider client configuration URL is empty          | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
+| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. |
+| 0x801C0016 | The federation provider configuration is empty                     | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
+| 0x801C0017 | The federation provider domain is empty                            | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
+| 0x801C0018 | The federation provider client configuration URL is empty          | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
 | 0x801C03E9 | Server response message is invalid                                 | Sign out and then sign in again. |
 | 0x801C03EA | Server failed to authorize user or device.                         | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
 | 0x801C03EB | Server response http status is not valid                           | Sign out and then sign in again. |
@@ -53,10 +53,11 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Azure AD under Azure AD Device settings.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| 
 | 0xC00000BB | Your PIN or this option is temporarily unavailable.                | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
 
 ## Errors with unknown mitigation
@@ -72,7 +73,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x80090020  | NTE\_FAIL |
 | 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
 | 0x8009002D  | NTE\_INTERNAL\_ERROR |
-| 0x801C0001  | ​ADRS server response is not in a valid format. |
+| 0x801C0001  | ADRS server response is not in a valid format. |
 | 0x801C0002  | Server failed to authenticate the user. |
 | 0x801C0006  | Unhandled exception from server. |
 | 0x801C000B  | Redirection is needed and redirected location is not a well known server. |
@@ -88,13 +89,3 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
 | 0xCAA30193  | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
 
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

From 66ddb1be927e37a6de14d16514da2fb9ab78d580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 11:15:02 -0400
Subject: [PATCH 15/20] Add another example for sandbox

---
 ...indows-sandbox-configure-using-wsb-file.md | 70 +++++++++++++++----
 .../windows-sandbox-overview.md               | 12 ++--
 2 files changed, 64 insertions(+), 18 deletions(-)

diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index e9790d83e9..e9dc1bb0cc 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
-ms.collection: 
+ms.collection:
   - highpri
   - tier2
 ms.topic: article
@@ -53,7 +53,7 @@ To create a configuration file:
 To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
 
 ```batch
-C:\Temp> MyConfigFile.wsb 
+C:\Temp> MyConfigFile.wsb
 ```
 
 ## Keywords, values, and limits
@@ -80,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to
 `<Networking>value</Networking>`
 
 Supported values:
+
 - *Enable*: Enables networking in the sandbox.
 - *Disable*: Disables networking in the sandbox.
 - *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
@@ -93,12 +94,12 @@ An array of folders, each representing a location on the host machine that will
 
 ```xml
 <MappedFolders>
-  <MappedFolder> 
-    <HostFolder>absolute path to the host folder</HostFolder> 
-    <SandboxFolder>absolute path to the sandbox folder</SandboxFolder> 
-    <ReadOnly>value</ReadOnly> 
+  <MappedFolder>
+    <HostFolder>absolute path to the host folder</HostFolder>
+    <SandboxFolder>absolute path to the sandbox folder</SandboxFolder>
+    <ReadOnly>value</ReadOnly>
   </MappedFolder>
-  <MappedFolder>  
+  <MappedFolder>
     ...
   </MappedFolder>
 </MappedFolders>
@@ -110,8 +111,7 @@ An array of folders, each representing a location on the host machine that will
 
 *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
 
-
-> [!NOTE] 
+> [!NOTE]
 > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
 
 ### Logon command
@@ -136,13 +136,14 @@ Enables or disables audio input to the sandbox.
 `<AudioInput>value</AudioInput>`
 
 Supported values:
+
 - *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
 - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
 - *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
 
 > [!NOTE]
 > There may be security implications of exposing host audio input to the container.
- 
+
 ### Video input
 
 Enables or disables video input to the sandbox.
@@ -150,7 +151,8 @@ Enables or disables video input to the sandbox.
 `<VideoInput>value</VideoInput>`
 
 Supported values:
-- *Enable*: Enables video input in the sandbox. 
+
+- *Enable*: Enables video input in the sandbox.
 - *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
 - *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
 
@@ -164,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing
 `<ProtectedClient>value</ProtectedClient>`
 
 Supported values:
+
 - *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
 - *Disable*: Runs the sandbox in standard mode without extra security mitigations.
 - *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
@@ -178,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox.
 `<PrinterRedirection>value</PrinterRedirection>`
 
 Supported values:
+
 - *Enable*: Enables sharing of host printers into the sandbox.
 - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
 - *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
@@ -189,8 +193,9 @@ Enables or disables sharing of the host clipboard with the sandbox.
 `<ClipboardRedirection>value</ClipboardRedirection>`
 
 Supported values:
+
 - *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. 
+- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
 - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
 
 ### Memory in MB
@@ -202,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
 If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
 
 ## Example 1
+
 The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
 
 ### Downloads.wsb
@@ -233,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
 
 ### VSCodeInstall.cmd
 
-Download vscode to `downloads` folder and run from `downloads` folder
+Download vscode to `downloads` folder and run from `downloads` folder.
 
 ```batch
 REM Download Visual Studio Code
@@ -264,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
   </LogonCommand>
 </Configuration>
 ```
+
+## Example 3
+
+The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
+
+`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+<Configuration>
+  <MappedFolders>
+    <MappedFolder>
+      <HostFolder>C:\sandbox</HostFolder>
+      <SandboxFolder>C:\sandbox</SandboxFolder>
+      <ReadOnly>True</ReadOnly>
+    </MappedFolder>
+  </MappedFolders>
+  <LogonCommand>
+    <Command>powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1</Command>
+  </LogonCommand>
+</Configuration>
+```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 6e2f83d198..846f0ed7f6 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
-ms.collection: 
+ms.collection:
   - highpri
   - tier2
 ms.topic: article
@@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta
 Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
 
 Windows Sandbox has the following properties:
+
 - **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
 - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
 - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
@@ -32,7 +33,7 @@ Windows Sandbox has the following properties:
 > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
 
 ## Prerequisites
- 
+
 - Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
 - AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
 - Virtualization capabilities enabled in BIOS
@@ -59,7 +60,7 @@ Windows Sandbox has the following properties:
 
    > [!NOTE]
    > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
-   > 
+   >
    > ```powershell
    > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
    > ```
@@ -67,9 +68,10 @@ Windows Sandbox has the following properties:
 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
 
    > [!NOTE]
-   > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually.  
+   > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
+
+## Usage
 
-## Usage 
 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
 
 2. Run the executable file or installer inside the sandbox.

From 3fc85a8320997668afe20468db47156324c7028c Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:22:57 -0400
Subject: [PATCH 16/20] Update prereqs

---
 .../windows-sandbox/windows-sandbox-overview.md        | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 846f0ed7f6..153162fd8e 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,12 +34,16 @@ Windows Sandbox has the following properties:
 
 ## Prerequisites
 
-- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
-- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
+- Windows 10, version 1903 or later, or Windows 11
+- Windows Pro, Enterprise or Education edition
+- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
 - Virtualization capabilities enabled in BIOS
 - At least 4 GB of RAM (8 GB recommended)
 - At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyperthreading recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition
 
 ## Installation
 

From 00f4fd0438668b43d613689b73431ed232ba5d6f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:37:43 -0400
Subject: [PATCH 17/20] Minor changes

---
 .../windows-sandbox/windows-sandbox-overview.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 153162fd8e..74e81b1a05 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,9 +34,9 @@ Windows Sandbox has the following properties:
 
 ## Prerequisites
 
-- Windows 10, version 1903 or later, or Windows 11
+- Windows 10, version 1903 and later, or Windows 11
 - Windows Pro, Enterprise or Education edition
-- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
+- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
 - Virtualization capabilities enabled in BIOS
 - At least 4 GB of RAM (8 GB recommended)
 - At least 1 GB of free disk space (SSD recommended)

From d7cc8917a7ab76b61676703b38d133fda8d1c9ce Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:28:26 -0700
Subject: [PATCH 18/20] update metadata

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 windows/deployment/update/wufb-reports-admin-center.md          | 2 +-
 windows/deployment/update/wufb-reports-enable.md                | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index c1eb23d550..b859c33a3e 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -5,7 +5,7 @@ manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
-ms.date: 03/29/2023
+ms.date: 04/26/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 68161072ed..8d7b1f616c 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -7,7 +7,7 @@ author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.topic: article
-ms.date: 03/29/2023
+ms.date: 04/26/2023
 ms.technology: itpro-updates
 ---
 
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index a02c8ece15..df307acd3d 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
-ms.date: 11/15/2022
+ms.date: 04/26/2023
 ms.technology: itpro-updates
 ---
 

From 6e31c319da7682bbc789f826c965607ecf6ac9b7 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:33:22 -0700
Subject: [PATCH 19/20] update metadata

---
 windows/deployment/update/wufb-reports-prerequisites.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index 6e179ad957..f9951294d8 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
-ms.date: 03/29/2023
+ms.date: 04/26/2023
 ms.technology: itpro-updates
 ---
 

From 533d0ad7259404f5153d64cfc831dba0d1743e85 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:39:27 -0700
Subject: [PATCH 20/20] edit

---
 .../update/includes/wufb-reports-admin-center-permissions.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b859c33a3e..342b6d4210 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -17,7 +17,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
 
 **Roles that can enroll into Windows Update for Business reports**
 
-To [enroll](../bkmk_enroll.md) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
 - [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role