diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index de91ab07af..74ab14397b 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -231,7 +231,7 @@ The App-V Client can be configured to change the default behavior of streaming.
|PackageSourceRoot|The root override where packages should be streamed from|
|SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios|
-These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that is important to understand:
+These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that are important to understand:
- Background Streaming
- Optimized Streaming
@@ -344,7 +344,7 @@ This process will recreate both the local and network locations for AppData and
In an App-V Full Infrastructure, after applications are sequenced, they're managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
-This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Endpoint Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index e2024178c1..c1a212d4a9 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -38,7 +38,7 @@ Sequencing Office 2010 is one of the main methods for creating an Office 2010 pa
You can deploy Office 2010 packages by using any of the following App-V deployment methods:
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
* App-V server
* Stand-alone through Windows PowerShell commands
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 73f9db7e31..2361c92d00 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -245,7 +245,7 @@ Use the following information to publish an Office package.
Deploy the App-V package for Office 2013 by using the same methods you use for any other package:
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
* App-V Server
* Stand-alone through Windows PowerShell commands
@@ -283,7 +283,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
#### To enable plug-ins for Office App-V packages
-1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet.
2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 745d79c291..871ad80c8d 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -229,7 +229,7 @@ Use the following information to publish an Office package.
Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed:
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
* App-V Server
* Stand-alone through Windows PowerShell commands
@@ -266,7 +266,7 @@ The following steps will tell you how to enable Office plug-ins with your Office
#### Enable plug-ins for Office App-V packages
-1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet.
2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
3. Create an App-V package that includes the plug-ins you want.
4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 0058f4790c..a7be17a6f3 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -14,7 +14,7 @@ ms.topic: article
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
+If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 2522c24732..097a07c1ed 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -72,7 +72,7 @@ The App-V Publishing server can be installed on a server that runs Windows Serve
### Publishing server hardware requirements
-App-V adds requires nothing beyond the requirements of Windows Server.
+App-V adds require nothing beyond the requirements of Windows Server.
* A 64-bit (x64) processor that runs at 1.4 GHz or faster.
* 2-GB RAM (64-bit).
@@ -117,7 +117,7 @@ Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK)
See the Windows or Windows Server documentation for the hardware requirements.
-## Supported versions of Microsoft Endpoint Configuration Manager
+## Supported versions of Microsoft Configuration Manager
The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606.
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 928db9a0cb..d02f1b1f53 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -36,7 +36,7 @@ For personal devices (BYOD):
### Azure AD Join
-Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
+Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 4770e2515b..af610cec3c 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -11,10 +11,14 @@ ms.reviewer:
manager: aaroncz
---
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
-> [!NOTE]
-> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).
+Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
+
+- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
+- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+If you use the Azure portal, then you can access Intune using the following steps:
1. Go to your Azure AD Blade.
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 24fe54f2cf..a89553916f 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -37,7 +37,7 @@ You can use the same management tools to manage all device types running Windows
## Learn more
-[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 99a1cc804d..19461ff803 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -17,7 +17,7 @@ Use of personal devices for work, and employees working outside the office, may
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
-Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index d8748f2ee6..65c0df509a 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -255,7 +255,7 @@ There are a few instances where your device may not be able to connect to work.
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. |
-| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. |
+| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. |
| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 177b63d3e2..ff2dba8be7 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -327,7 +327,7 @@
href: ue-v/uev-manage-configurations.md
- name: Configuring UE-V with Group Policy Objects
href: ue-v/uev-configuring-uev-with-group-policy-objects.md
- - name: Configuring UE-V with Microsoft Endpoint Configuration Manager
+ - name: Configuring UE-V with Microsoft Configuration Manager
href: ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
- name: Administering UE-V with Windows PowerShell and WMI
href: ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index a1ac8234e6..a350813090 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -31,7 +31,7 @@ CSPs are behind many of the management tasks and policies for Windows client, bo
:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP":::
-CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
+CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
### Synchronization Markup Language (SyncML)
@@ -55,7 +55,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
-:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in icd.":::
+:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD.":::
[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
@@ -81,7 +81,7 @@ The full path to a specific configuration setting is represented by its Open Mob
The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access csp tree.":::
+:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree.":::
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 780fc8c764..eeba5e2a63 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -148,7 +148,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
## Learn more
-- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
## Related articles
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index dc2ca16f4d..2f4dadd57a 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
-title: Configuring UE-V with Microsoft Endpoint Configuration Manager
-description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager.
+title: Configuring UE-V with Microsoft Configuration Manager
+description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager.
author: aczechowski
ms.prod: windows-client
ms.date: 04/19/2017
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 79d36471a0..901c9451d1 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -220,7 +220,7 @@ After you create a settings location template with the UE-V template generator,
You can deploy settings location templates using of these methods:
-- An electronic software distribution (ESD) system such as Microsoft Endpoint Configuration Manager
+- An electronic software distribution (ESD) system such as Microsoft Configuration Manager
- Group Policy preferences
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 7bc1cfe1cd..6f44c3f7ea 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -24,11 +24,11 @@ You can use Group Policy Objects to modify the settings that define how UE-V syn
[Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
-## Configuring UE-V with Microsoft Endpoint Configuration Manager
+## Configuring UE-V with Microsoft Configuration Manager
You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
-[Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+[Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
## Administering UE-V with PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index 9d16048ab9..39acddadd3 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -265,9 +265,9 @@ For more information, see the [Windows Application List](uev-managing-settings-l
If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
-Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
+Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
-For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
+For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
### Prevent unintentional user settings configuration
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index b70ac634d6..b235598be3 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -28,8 +28,8 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
- Windows Autopilot
- In-place upgrade
- Deploying Windows 10 upgrade with Intune
-- Deploying Windows 10 upgrade with Microsoft Endpoint Configuration Manager
-- Deploying a computer refresh with Microsoft Endpoint Configuration Manager
+- Deploying Windows 10 upgrade with Microsoft Configuration Manager
+- Deploying a computer refresh with Microsoft Configuration Manager
## Free trial account
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e1a4f5b77f..cec1220c0b 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -40,7 +40,7 @@ The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is a
[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
+An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
## The Modern Desktop Deployment Center
@@ -124,7 +124,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-### Microsoft Endpoint Configuration Manager
+### Microsoft Configuration Manager
An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
@@ -201,7 +201,7 @@ For more information, see the following guides:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
## Troubleshooting guidance
diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml
index f47a156a14..13d898e1b5 100644
--- a/windows/deployment/deploy-windows-cm/TOC.yml
+++ b/windows/deployment/deploy-windows-cm/TOC.yml
@@ -1,4 +1,4 @@
-- name: Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+- name: Deploy Windows 10 with Microsoft Configuration Manager
items:
- name: Prepare for Windows 10 deployment with Configuration Manager
items:
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index b894e49a68..c723dc30ae 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -19,7 +19,7 @@ ms.date: 10/27/2022
- Windows 10
-Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
+Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point.
## Infrastructure
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 3096ca315b..25f8bd58cf 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Endpoint Configuration Manager.
+description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@@ -19,7 +19,7 @@ ms.date: 10/27/2022
- Windows 10
-In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
- The boot image that is created is based on the version of ADK that is installed.
For the purposes of this guide, we'll use one server computer: CM01.
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index c7ef3fcf77..ce164ba563 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -18,7 +18,7 @@ ms.date: 10/27/2022
- Windows 10
-This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Endpoint Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
+This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
## Prerequisites
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 5e089a9ae6..45a35d3282 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager.
ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
ms.reviewer:
manager: aaroncz
@@ -20,7 +20,7 @@ ms.date: 10/27/2022
- Windows 10
-In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 9c8464bb68..701f10efc1 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -27,7 +27,7 @@ MDT is a unified collection of tools, processes, and guidance for automating des
In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
+MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Configuration Manager](/configmgr/).
> [!IMPORTANT]
> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-).
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index a4ddd7deff..81b14bb1e6 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -23,7 +23,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. |
|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Configuration Manager in your environment, you'll most likely want to use it to deploy Windows 10. This article will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). |
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index 98615239e4..8de2e95ad4 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -26,12 +26,12 @@ This article lists the endpoints that need to be allowed through the firewall to
|Domain Name |Protocol/Port(s) | Content Type | Additional Information | Version |
|---------|---------|---------------|-------------------|-----------------|
-| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update Windows Defender Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80 HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.statics.teams.cdn.office.net | HTTP / 80 HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point |
+| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update Windows Defender Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Configuration Manager Distribution Point |
+| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Configuration Manager Distribution Point |
+| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Configuration Manager Distribution Point |
+| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80 HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Configuration Manager Distribution Point |
+| *.statics.teams.cdn.office.net | HTTP / 80 HTTPs / 443 | Teams | | Microsoft Configuration Manager Distribution Point |
+| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Configuration Manager Distribution Point |
+| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Configuration Manager Distribution Point |
| *.do.dsp.mp.microsoft.com | HTTP / 80 HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671 MQTT / 8883 HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index ff8fd19bfa..75f5fb76b3 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -46,7 +46,7 @@ Two methods of peer-to-peer content distribution are available.
> [!NOTE]
> Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
>
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
## Express update delivery
@@ -56,7 +56,7 @@ Windows client quality update downloads can be large because every package conta
> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
-- **Express on Microsoft Endpoint Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
+- **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708456(v=ws.10)).
@@ -94,4 +94,4 @@ At this point, the download is complete and the update is ready to be installed.
|  | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this article) |
-|  | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)
or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+|  | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)
or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index e1614b011b..4a758fcbc4 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -31,7 +31,7 @@ Use Windows Analytics to get:
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager
+- Data export to commonly used software deployment tools, including Microsoft Configuration Manager
The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 12e891c82f..bf3c38f95e 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -49,7 +49,7 @@ sections:
For many devices, drivers will be automatically installed in Windows 10 and there will be no need for further action.
- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
- - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
+ - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
- [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html)
- [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
@@ -70,9 +70,9 @@ sections:
- question: |
Which deployment tools support Windows 10?
answer: |
- Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
+ Updated versions of Microsoft deployment tools, including Microsoft Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
- - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
+ - [Microsoft Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
- [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
@@ -81,7 +81,7 @@ sections:
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
- Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
+ Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
@@ -114,7 +114,7 @@ sections:
- Windows Update
- Windows Update for Business
- Windows Server Update Services
- - Microsoft Endpoint Configuration Manager
+ - Microsoft Configuration Manager
For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 1a3c1e8061..26aff43d39 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -40,7 +40,7 @@ For more information about Microsoft Configuration Manager support for Windows 1
## Management tools
-In addition to Microsoft Endpoint Configuration Manager, Windows 10 also uses other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you're using a central policy store, follow the steps outlined [here](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) to update the ADMX files stored in that central store.
+In addition to Microsoft Configuration Manager, Windows 10 also uses other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you're using a central policy store, follow the steps outlined [here](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) to update the ADMX files stored in that central store.
No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these schema updates to support new features.
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
index f992798862..848e407d94 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
@@ -168,7 +168,7 @@ sections:
- question: |
How can Windows To Go be managed in an organization?
answer: |
- Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+ Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
- question: |
How do I make my computer boot from USB?
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index dd1b570035..5465e73df5 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -56,7 +56,7 @@ The applications that you want to use from the Windows To Go workspace should be
## Prepare for Windows To Go
-Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 5c1d53cd63..7d41b154fe 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -68,7 +68,7 @@ numerous advantages:
Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index d5467cc27c..d53be32342 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -44,7 +44,7 @@ We include information here about many different update types you'll hear about,
There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
-The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
+The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
### General Availability Channel
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 9a3ff8f9c3..352013a1ea 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -37,7 +37,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. |
-| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. |
+| [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage more Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. |
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 235adb34ea..9ab24e12bd 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -41,7 +41,7 @@ In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization
## Configure servers for BranchCache
-You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Endpoint Configuration Manager.
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager.
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index af886bbfe3..0565315cf2 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -189,7 +189,7 @@ Starting with Windows 10, version 1709, you can set policies to manage preview b
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
-* Microsoft Endpoint Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
+* Microsoft Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index b7708a85de..1018e89ac2 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,6 +1,6 @@
---
title: Integrate Windows Update for Business
-description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
ms.prod: windows-client
author: aczechowski
ms.localizationpriority: medium
@@ -21,7 +21,7 @@ ms.technology: itpro-updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
## Integrate Windows Update for Business with Windows Server Update Services
@@ -88,7 +88,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
>[!NOTE]
> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
-## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager
+## Integrate Windows Update for Business with Microsoft Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 57b7d86ab1..3fbea85a1b 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -337,7 +337,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows client updates using Windows Server Update Services (this topic)or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows client updates using Windows Server Update Services (this topic)or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index a8c8b81afd..f2ed2acdde 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -91,7 +91,7 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
> [!NOTE]
@@ -132,7 +132,7 @@ There are many tools you can use to service Windows as a service. Each option ha
- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
- **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune.
- **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
-- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+- **Microsoft Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
**Servicing tools comparison**
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index e96a0fe78c..baa37b5307 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -46,7 +46,7 @@ For more information, see [Assign devices to servicing channels for Windows clie
## Staying up to date
-To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index ab46ab1414..2fdbd0beea 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -28,7 +28,7 @@ The following table shows the methods and paths available to change the edition
> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
> [!TIP]
-> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
+> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Configuration Manager.
 (X) = not supported
 (green checkmark) = supported, reboot required
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index a7c5b2d143..2a26886c73 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -127,11 +127,11 @@ A company receives 50 new laptops for their managers and needs to reallocate 50
A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
-1. On each source computer, the administrator runs the ScanState tool using Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
+1. On each source computer, the administrator runs the ScanState tool using Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
-3. On each of the new computers, the administrator runs the LoadState tool using Microsoft Endpoint Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
+3. On each of the new computers, the administrator runs the LoadState tool using Microsoft Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
## Related topics
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 6406cfc2c4..de59c64bd1 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -27,7 +27,7 @@ Running the ScanState and LoadState tools with the **/v**:5 option crea
-After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state).
+After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state).
**Note**
For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index a1335da901..ec8b2ffdba 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -86,7 +86,7 @@ There are several options for organizations to configure the WMI firewall except
- **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
-- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
+- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility.
- **Manual.** Configure the WMI firewall exception individually on each client.
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 2b11e32b23..c4d6a505ac 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -37,7 +37,7 @@ The table below provides support details for specific deployment scenarios (Boot
## Reason for the change
-Alternatives to WDS, such as [Microsoft Endpoint Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
## Not affected
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index fdf36b188b..e952e8d4f6 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -22,7 +22,7 @@ To successfully deploy the Windows 10 operating system in your organization, it'
The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
> [!NOTE]
> Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
@@ -123,7 +123,7 @@ While the initial Windows 10 release includes various provisioning settings and
## Traditional deployment:
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
@@ -185,7 +185,7 @@ The deployment process for the replace scenario is as follows:
## Related articles
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
+- [Upgrade to Windows 10 with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 2f28c2a5c4..7c6eb866b0 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -95,7 +95,7 @@ You can implement Credential Guard on Windows 10 Enterprise devices by turning o
- Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
- You can automate these manual steps by using a management tool such as Microsoft Endpoint Configuration Manager.
+ You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
For more information about implementing Credential Guard, see the following resources:
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index adb1f9b19a..9c638be5d1 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -22,7 +22,7 @@ ms.topic: how-to
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
-- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
@@ -51,8 +51,8 @@ Topics and procedures in this guide are summarized in the following table. An es
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Endpoint Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Endpoint Configuration Manager.
+- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
## Install MDT
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d3a85cecee..f7ecaa8853 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,6 +1,6 @@
---
title: Steps to deploy Windows 10 with Configuration Manager
-description: Learn how to deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager.
+description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager.
ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
@@ -38,14 +38,14 @@ Multiple features and services are installed on SRV1 in this guide. This configu
## In this guide
-This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
+This guide provides end-to-end instructions to install and configure Microsoft Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
|Procedure|Description|Time|
|--- |--- |--- |
|[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes|
-|[Install Microsoft Endpoint Configuration Manager](#install-microsoft-endpoint-configuration-manager)|Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.|45 minutes|
+|[Install Microsoft Configuration Manager](#install-microsoft-configuration-manager)|Download Microsoft Configuration Manager, configure prerequisites, and install the package.|45 minutes|
|[Download MDOP and install DaRT](#download-mdop-and-install-dart)|Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.|15 minutes|
|[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
|[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
@@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate
## Install prerequisites
-1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
@@ -114,7 +114,7 @@ The procedures in this guide are summarized in the following table. An estimate
6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
-## Install Microsoft Endpoint Configuration Manager
+## Install Microsoft Configuration Manager
1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
@@ -124,7 +124,7 @@ The procedures in this guide are summarized in the following table. An estimate
Stop-Process -Name Explorer
```
-1. Download [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
+1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
@@ -243,7 +243,7 @@ The procedures in this guide are summarized in the following table. An estimate
## Prepare for Zero Touch installation
-This section contains several procedures to support Zero Touch installation with Microsoft Endpoint Configuration Manager.
+This section contains several procedures to support Zero Touch installation with Microsoft Configuration Manager.
### Create a folder structure
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 98b5881e0d..376a7ff9c4 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -25,7 +25,7 @@ This guide contains instructions to configure a proof of concept (PoC) environme
This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
@@ -80,7 +80,7 @@ Hardware requirements are displayed below:
|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016|Windows 8.1 or a later|
|**Edition**|Enterprise, Professional, or Education|Any|
|**Architecture**|64-bit|Any
Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.|
-|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
+|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Configuration Manager.|Any|
|**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.|
|**CPU**|SLAT-Capable CPU|Any|
|**Network**|Internet connection|Any|
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 2616f22559..b8ca6a476a 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
-The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
+The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af
**To delete the data we collect:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index 1b883ebe0b..b2ac14cb00 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
-ms.date: 08/08/2022
+ms.date: 11/02/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@@ -17,9 +17,22 @@ msreviewer: hathind
The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service.
> [!IMPORTANT]
-> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
+> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
-## Service principal
+## Windows Autopatch enterprise applications
+
+Enterprise applications are applications (software) that a business uses to do its work.
+
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
+
+| Enterprise application name | Usage | Permissions |
+| ----- | ------ | ----- |
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | - DeviceManagementApps.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.PriviligedOperation.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementRBAC.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Directory.Read.All
- Group.Create
- Policy.Read.All
- WindowsUpdates.Read.Write.All
|
+
+> [!NOTE]
+> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
+
+### Service principal
Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
@@ -38,40 +51,21 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters |
| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
-| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10Group Rule:
- `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
- `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`
Exclusions:- Modern Workplace - Telemetry Settings for Windows 11
|
-| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11Group Rule:
- `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
- `(device.deviceOSVersion -startsWith \"10.0.22000\")`
Exclusions:- Modern Workplace - Telemetry Settings for Windows 10
|
| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role |
| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch |
-## Windows Autopatch enterprise applications
-
-Enterprise applications are applications (software) that a business uses to do its work.
-
-Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
-
-| Enterprise application name | Usage | Permissions |
-| ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | - DeviceManagementApps.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.PriviligedOperation.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementRBAC.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Directory.Read.All
- Group.Create
- Policy.Read.All
- WindowsUpdates.Read.Write.All
|
-
-> [!NOTE]
-> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
-
## Device configuration policies
-- Modern Workplace - Set MDM to Win Over GPO
-- Modern Workplace - Telemetry Settings for Windows 10
-- Modern Workplace - Telemetry Settings for Windows 11
-- Modern Workplace-Window Update Detection Frequency
-- Modern Workplace - Data Collection
+- Windows Autopatch - Set MDM to Win Over GPO
+- Windows Autopatch - Data Collection
+- Windows Autopatch-Window Update Detection Frequency
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
-| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPOAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
-| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
|[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 |
-| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
|- [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|- 3
- 1
- 1
- 1
|
-| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequencyAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
-| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
+| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPOAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
+| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices. Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
|- [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
- [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|- Full
- 1
- 1
- 1
|
+| Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequencyAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
## Update rings for Windows 10 and later
@@ -105,33 +99,29 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
## Microsoft Office update policies
-- Modern Workplace - Office ADMX Deployment
-- Modern Workplace - Office Configuration v5
-- Modern Workplace - Office Update Configuration [Test]
-- Modern Workplace - Office Update Configuration [First]
-- Modern Workplace - Office Update Configuration [Fast]
-- Modern Workplace - Office Update Configuration [Broad]
+- Windows Autopatch - Office Configuration v5
+- Windows Autopatch - Office Update Configuration [Test]
+- Windows Autopatch - Office Update Configuration [First]
+- Windows Autopatch - Office Update Configuration [Fast]
+- Windows Autopatch - Office Update Configuration [Broad]
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
-| Modern Workplace - Office ADMX Deployment | ADMX file for OfficeAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
-| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
-| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
|- Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 0
|
-| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-First
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
| - Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 0
|
-| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-Fast
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
| - Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 3
|
-| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
Assigned to:- Modern Workplace Devices-Windows Autopatch-Broad
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
|- Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 7
|
+| Windows Autopatch - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.Assigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
+| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
|- Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 0
|
+| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-First
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
| - Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 0
|
+| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadlineAssigned to:
- Modern Workplace Devices-Windows Autopatch-Fast
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
| - Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 3
|
+| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
Assigned to:- Modern Workplace Devices-Windows Autopatch-Broad
|- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
- `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
|- Enabled; L_UpdateDeadlineID == 7
- Enabled; L_DeferUpdateDaysID == 7
|
## Microsoft Edge update policies
-- Modern Workplace - Edge Update ADMX Deployment
-- Modern Workplace - Edge Update Channel Stable
-- Modern Workplace - Edge Update Channel Beta
+- Windows Autopatch - Edge Update Channel Stable
+- Windows Autopatch - Edge Update Channel Beta
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
-| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for EdgeAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| | |
-| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable ChannelAssigned to:
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
-| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta ChannelAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
+| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable ChannelAssigned to:
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
+| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta ChannelAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
## PowerShell scripts
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index c5163c949a..0001b7976c 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -27,7 +27,7 @@ The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Mic
| [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:
- [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
- [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
-| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
+| [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. |
| [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
## Windows Autopatch data process and storage
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 0794c284fd..7e8837ad3c 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -230,19 +230,17 @@ additionalContent:
- title: Other resources
items:
- - title: Microsoft Endpoint Manager
+ - title: Microsoft endpoint management with Intune
links:
- - text: Microsoft Endpoint Manager documentation
- url: /mem
- - text: Overview of Microsoft Endpoint Manager
+ - text: Intune is a family of products
url: /mem/endpoint-manager-overview
- - text: Getting started with Microsoft Endpoint Manager
- url: /mem/endpoint-manager-getting-started
+ - text: What is Microsoft Intune?
+ url: /mem/what-is-intune
- text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
- text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
- - text: Microsoft Endpoint Manager blog
+ - text: Microsoft endpoint management blog
url: https://aka.ms/memblog
- title: Windows 365
links:
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 13b8872c26..48eab123cc 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -17,7 +17,7 @@ ms.topic: conceptual
- Windows 10, version 1903 and later
- Windows Server 2022
-Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
+Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we've moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this change will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
@@ -26,7 +26,7 @@ This article is meant for IT administrators and explains the changes Windows is
## Summary of changes
-In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
+In Windows 10, version 1903 and later, you'll see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
@@ -42,9 +42,9 @@ Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience
## Behavioral changes
-Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
+Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they're upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that use enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
-Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
+Additionally, you'll see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |
@@ -65,9 +65,9 @@ For more info, see [Configure Windows diagnostic data in your organization](conf
## Services that rely on Enhanced diagnostic data
-Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
+Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
-The following provides information on the current configurations:
+The following articles provide information on the current configurations:
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
@@ -95,7 +95,7 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az
- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
- [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
+- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
*(Additional licensing requirements may apply to use these services.)*
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 63ab9a4a86..c364767760 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -244,7 +244,7 @@
href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- name: Determine the enterprise context of an app running in WIP
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
+ - name: Create a WIP policy using Microsoft Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
- name: Create and deploy a WIP policy in Configuration Manager
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index 213647487d..0c96ff69db 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -23,9 +23,9 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
+| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
-| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
+| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
## Next steps
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 9d8bb4a982..3ef2c7372f 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -25,7 +25,7 @@ appliesto:
## Default Enablement
-Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
+Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
### Requirements for automatic enablement
@@ -34,7 +34,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
|Component|Requirement|
|---|---|
|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
-|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
+|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
> [!NOTE]
@@ -55,7 +55,7 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
### Enable Windows Defender Credential Guard by using Group Policy
-You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
@@ -73,32 +73,32 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run `gpupdate /force`.
-### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager
+### Enable Windows Defender Credential Guard by using Microsoft Intune
-1. From **Microsoft Endpoint Manager admin center**, select **Devices**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
1. Select **Configuration Profiles**.
1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
- 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings.
+ 1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings.
> [!NOTE]
> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
### Enable Windows Defender Credential Guard by using the registry
-If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.
#### Add the virtualization-based security features
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped.
-If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -201,9 +201,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
> [!NOTE]
> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
-- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
+- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible.
-- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
@@ -213,13 +213,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
+ - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
-- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0.
- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
@@ -238,9 +238,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
## Disable Windows Defender Credential Guard
-Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
+Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
+If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
@@ -262,7 +262,7 @@ If Windows Defender Credential Guard was enabled via Group Policy and without UE
### Disabling Windows Defender Credential Guard using Registry Keys
-If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
+If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
1. Change the following registry settings to 0:
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index b488757dd8..738c5d164a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -27,7 +27,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
## Prerequisites
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
@@ -37,7 +37,7 @@ Check and view this setting with the following MSOnline PowerShell command:
`Get-MsolDomainFederationSettings –DomainName `
-To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
+To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
`Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false`
@@ -55,11 +55,11 @@ We recommend that you disable or manage Windows Hello for Business provisioning
The following method explains how to disable Windows Hello for Business enrollment without Intune.
-1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
- When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
+ When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
> [!NOTE]
> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 88115dc1cb..91cd2ed308 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -47,11 +47,11 @@ sections:
Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
- - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
+ - question: Can I deploy Windows Hello for Business by using Microsoft Configuration Manager?
answer: |
Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
- - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune?
+ - question: Can I deploy Windows Hello for Business by using Microsoft Intune?
answer: |
Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
@@ -155,11 +155,11 @@ sections:
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+ When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
- Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
+ Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.
- question: Who has access on Windows Hello biometrics data?
answer: |
@@ -167,11 +167,11 @@ sections:
- question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
answer: |
- Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+ Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a pin. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just select on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
- question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
answer: |
- To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+ To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
- question: What about any diagnostic data coming out when WHFB is enabled?
answer: |
@@ -187,7 +187,7 @@ sections:
- question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
answer: |
- Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint.
+ Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint.
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index af6c28cb74..d44b2c01e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -35,7 +35,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc
- Reset from settings - Windows 10, version 1703 or later, Windows 11
- Reset above Lock - Windows 10, version 1709 or later, Windows 11
-Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
+Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
>[!IMPORTANT]
@@ -52,16 +52,16 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI
For Azure AD-joined devices:
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Select **I forgot my PIN** from the PIN credential provider.
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key).
+1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key).
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
For Hybrid Azure AD-joined devices:
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Select **I forgot my PIN** from the PIN credential provider.
1. Enter your password and press enter.
1. Follow the instructions provided by the provisioning process.
@@ -70,19 +70,19 @@ For Hybrid Azure AD-joined devices:
> [!NOTE]
> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
-You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
## Non-Destructive PIN reset
**Requirements:**
- Azure Active Directory
-- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903.
+- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
-When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
@@ -95,10 +95,10 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|Category|Destructive PIN Reset|Non-Destructive PIN Reset|
|--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
+|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
-|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
+|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
@@ -117,13 +117,13 @@ Before you can remotely reset PINs, you must register two applications in your A
#### Connect Azure Active Directory with the PIN Reset Service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
+1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
#### Connect Azure Active Directory with the PIN Reset Client
1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
+1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
#### Confirm that the two PIN Reset service principals are registered in your tenant
@@ -141,7 +141,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI
You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
@@ -163,7 +163,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
> 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -236,11 +236,11 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
- Azure AD joined devices
-The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
### Configure Web Sign-in Allowed URLs using Microsoft Intune
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. Select **Devices** > **Configuration profiles** > **Create profile**
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**
@@ -266,7 +266,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
> [!NOTE]
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
-## Related topics
+## Related articles
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index a4c55e0fdd..37f7b13e82 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -21,23 +21,23 @@ appliesto:
# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
## Prerequisites
-Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.
+Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.
- Azure Active Directory Connect synchronization
- Device Registration
- Certificate Revocation List (CRL) Distribution Point (CDP)
- 2016 Domain Controllers
- Domain Controller certificate
-- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
+- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, you can use any VPN solution.
### Azure Active Directory Connect synchronization
-Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
+Azure AD join, and hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you're using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
### Azure Active Directory Device Registration
-A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
+A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user can't provision Windows Hello for Business unless the device from which they're trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
@@ -48,24 +48,24 @@ Certificates issued by a certificate authority can be revoked. When a certifica
-The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
+The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. The value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the certificate revocation list. The authentication becomes a circular problem. The user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
-To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
-If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
+If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
> [!NOTE]
> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server.
### Windows Server 2016 Domain Controllers
-If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+If you're interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We're glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement.
+If you're interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you're the right place. The same certificate configuration on the domain controllers is needed, whether you're using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can ignore the Windows Server 2016 domain controller requirement.
### Domain Controller Certificates
-Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory
+Certificate authorities write CRL distribution points in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory
#### Why does Windows need to validate the domain controller certificate?
@@ -79,7 +79,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w
- The domain controller's certificate's signature hash algorithm is **sha256**.
- The domain controller's certificate's public key is **RSA (2048 Bits)**.
-Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
+Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
> [!Tip]
> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate.
@@ -88,7 +88,7 @@ Authenticating from a Hybrid Azure AD joined device to a domain using Windows He
Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point.
-Steps you will perform include:
+Steps you'll perform include:
- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
@@ -99,40 +99,40 @@ Steps you will perform include:
### Configure Internet Information Services to host CRL distribution point
-You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
+You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
> [!IMPORTANT]
> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
#### Installing the Web Server
-1. Sign-in to your server as a local administrator and start **Server Manager** if it did not start during your sign in.
-2. Click the **Local Server** node in the navigation pane. Click **Manage** and click **Add Roles and Features**.
-3. In the **Add Role and Features Wizard**, click **Server Selection**. Verify the selected server is the local server. Click **Server Roles**. Select the check box next to **Web Server (IIS)**.
-4. Click **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
+1. Sign-in to your server as a local administrator and start **Server Manager** if it didn't start during your sign in.
+2. Select the **Local Server** node in the navigation pane. Select **Manage** and select **Add Roles and Features**.
+3. In the **Add Role and Features Wizard**, select **Server Selection**. Verify the selected server is the local server. Select **Server Roles**. Select the check box next to **Web Server (IIS)**.
+4. Select **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
#### Configure the Web Server
1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
-2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
-3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**.
+2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and select **Add Virtual Directory...**.
+3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you'll host the certificate revocation list. For this example, the path **c:\cdp** is used. Select **OK**.
> [!NOTE]
> Make note of this path as you will use it later to configure share and file permissions.
-4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane.
+4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Select **Enable** in the details pane.
5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**.
6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
- In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane.
+ In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Select **Apply** in the actions pane.
7. Close **Internet Information Services (IIS) Manager**.
#### Create a DNS resource record for the CRL distribution point URL
1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
-2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
-3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**.
+2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and select **New Host (A or AAAA)...**.
+3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Select **Add Host**. Select **OK** to close the **DNS** dialog box. Select **Done**.
4. Close the **DNS Manager**.
@@ -143,37 +143,37 @@ These procedures configure NTFS and share permissions on the web server to allow
#### Configure the CDP file share
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
-3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
+2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**.
+3. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions**.
-4. In the **Permissions for cdp$** dialog box, click **Add**.
-5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**.
-7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
-8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+4. In the **Permissions for cdp$** dialog box, select **Add**.
+5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**.
+8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
-9. In the **Advanced Sharing** dialog box, click **OK**.
+9. In the **Advanced Sharing** dialog box, select **OK**.
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
#### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
-3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
+2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**.
+3. Select **Caching**. Select **No files or programs from the shared folder are available offline**.
-4. Click **OK**.
+4. Select **OK**.
#### Configure NTFS permission for the CDP folder
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab.
-3. On the **Security** tab, click Edit.
-5. In the **Permissions for cdp** dialog box, click **Add**.
+2. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab.
+3. On the **Security** tab, select Edit.
+5. In the **Permissions for cdp** dialog box, select **Add**.
-6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**.
-7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
-8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-9. Click **Close** in the **cdp Properties** dialog box.
+6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**.
+8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
+9. Select **Close** in the **cdp Properties** dialog box.
### Configure the new CRL distribution point and Publishing location in the issuing certificate authority
@@ -183,17 +183,17 @@ The web server is ready to host the CRL distribution point. Now, configure the
#### Configure the CRL distribution Point
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
-3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (do not forget the trailing forward slash).
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash).
-5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Select **OK**.
7. Select the CDP you just created.
8. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
9. Select **Include in the CDP extension of issued certificates**.
-10. Click **Apply** save your selections. Click **No** when ask to restart the service.
+10. Select **Apply** save your selections. Select **No** when ask to restart the service.
> [!NOTE]
> Optionally, you can remove unused CRL distribution points and publishing locations.
@@ -201,43 +201,43 @@ The web server is ready to host the CRL distribution point. Now, configure the
#### Configure the CRL publishing location
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
-3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
-5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash).
+5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Select **OK**.
7. Select the CDP you just created.
8. Select **Publish CRLs to this location**.
9. Select **Publish Delta CRLs to this location**.
-10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box.
+10. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box.
### Publish a new CRL
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
+2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
-3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
+3. In the **Publish CRL** dialog box, select **New CRL** and select **OK**.
#### Validate CDP Publishing
Validate your new CRL distribution point is working.
-1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing your new CRL.
### Reissue domain controller certificates
-With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate does not have the updated CRL distribution point.
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point.
1. Sign-in a domain controller using administrative credentials.
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**.
+4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next**.
-5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**.
-6. After the enrollment completes, click **Finish** to close the wizard.
+5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll**.
+6. After the enrollment completes, select **Finish** to close the wizard.
7. Repeat this procedure on all your domain controllers.
> [!NOTE]
@@ -250,16 +250,16 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Sign-in a domain controller using administrative credentials.
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
-5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
+3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
+5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**.
## Configure and Assign a Trusted Certificate Device Configuration Profile
-Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices do not trust domain controller certificates and authentication fails.
+Your domain controllers have new certificates that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to the device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails.
-Steps you will perform include:
+Steps you'll perform include:
- [Export Enterprise Root certificate](#export-enterprise-root-certificate)
- [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile)
@@ -267,30 +267,30 @@ Steps you will perform include:
1. Sign-in a domain controller using administrative credentials.
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**.
+3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate**.
-5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
+5. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**.
-6. In the **Certificate Export Wizard**, click **Next**.
-7. On the **Export File Format** page of the wizard, click **Next**.
-8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+6. In the **Certificate Export Wizard**, select **Next**.
+7. On the **Export File Format** page of the wizard, select **Next**.
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box.
-9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
+9. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
### Create and Assign a Trust Certificate Device Configuration Profile
A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices.
-1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
-2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
+1. Sign-in to the [Microsoft Azure portal](https://portal.azure.com) and select **Microsoft Intune**.
+2. Select **Device configuration**. In the **Device Configuration** blade, select **Create profile**.
-3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
-4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.
+3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Select **Configure**.
+4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Select **OK**. Select **Create**.
-5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
+5. In the **Enterprise Root Certificate** blade, select **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Select **Save**.
-6. Sign out of the Microsoft Azure Portal.
+6. Sign out of the Microsoft Azure portal.
> [!NOTE]
> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
@@ -298,14 +298,14 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices**.
3. Choose **Enroll devices**.
4. Select **Windows enrollment**.
5. Under **Windows enrollment**, select **Windows Hello for Business**.
6. Select **Enabled** from the **Configure Windows Hello for Business** list.
-7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
+7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and doesn't allow fall back to software-based keys.
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
> [!IMPORTANT]
> The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2d0fd8eb2a..9dbec8914c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -25,7 +25,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
> [!IMPORTANT]
> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
-Steps you will perform include:
+Steps you'll perform include:
- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
@@ -46,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD-
The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
-The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options:
@@ -74,9 +74,9 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
1. Open **Synchronization Services** from the **Azure AD Connect** folder.
-2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
+2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
-3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+3. If the version number isn't **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
@@ -89,7 +89,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
-3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
+3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
@@ -106,7 +106,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
```
-5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**.
+5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
#### Response