diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 5c5047248c..ec54bee4ae 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -9,7 +9,7 @@ ms.pagetype: devices author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.date: 09/14/2021 +ms.date: 01/18/2022 ms.reviewer: manager: dansimp ms.topic: article @@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ``` where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - This command only works for AADJ device users already added to any of the local groups (administrators). - Otherwise this command throws the below error. For example: + In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example: - for cloud only user: "There is no such global user or group : *name*" - for synced user: "There is no such global user or group : *name*" @@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu - Adding users using policy - Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 96b516b939..4530da2896 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive ADMX Info:
Edition | +Windows 11 | +
---|---|
Home | +No | +
Pro | +Yes | +
Business | +Yes | +
Enterprise | +Yes | +
Education | +Yes | +
Edition | +Windows 10 | +Windows 11 | +
---|---|---|
Home | +No | +No | +
Pro | +Yes | +Yes | +
Business | +Yes | +Yes | +
Enterprise | +Yes | +Yes | +
Education | +Yes | +Yes | +
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| +|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.
Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
|0xC1900200 - 0x20008|The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.
Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index a7081e65f1..9310bdfa44 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -153,4 +153,4 @@ To create custom RDP settings for Azure:
[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
-
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
\ No newline at end of file
+
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 169a4416a4..1454d3ea81 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,142 +1,147 @@
----
-title: Activate using Active Directory-based activation (Windows 10)
-description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
-ms.custom: seo-marvel-apr2020
-ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
-manager: dougeby
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
-author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
-ms.collection: highpri
----
-
-# Activate using Active Directory-based activation
-
-> Applies to
->
->- Windows 10
->- Windows 8.1
->- Windows 8
->- Windows Server 2012 R2
->- Windows Server 2012
->- Windows Server 2016
->- Windows Server 2019
->- Office 2013*
->- Office 2016*
->- Office 2019*
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
-- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
-
-Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
-
-Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
-
-To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
-
-The process proceeds as follows:
-
-1. Perform one of the following tasks:
- - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
-
-2. Microsoft verifies the KMS host key, and an activation object is created.
-
-3. Client computers are activated by receiving the activation object from a domain controller during startup.
-
- > [!div class="mx-imgBorder"]
- > 
-
- **Figure 10**. The Active Directory-based activation flow
-
-For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
-
-If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
-
-Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
-
-When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
-
-## Step-by-step configuration: Active Directory-based activation
-
-> [!NOTE]
-> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
-
-**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
-
-1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
-
-2. Launch Server Manager.
-
-3. Add the Volume Activation Services role, as shown in Figure 11.
-
- 
-
- **Figure 11**. Adding the Volume Activation Services role
-
-4. Click the link to launch the Volume Activation Tools (Figure 12).
-
- 
-
- **Figure 12**. Launching the Volume Activation Tools
-
-5. Select the **Active Directory-Based Activation** option (Figure 13).
-
- 
-
- **Figure 13**. Selecting Active Directory-Based Activation
-
-6. Enter your KMS host key and (optionally) a display name (Figure 14).
-
- 
-
- **Figure 14**. Entering your KMS host key
-
-7. Activate your KMS host key by phone or online (Figure 15).
-
- 
-
- **Figure 15**. Choosing how to activate your product
-
- > [!NOTE]
- > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
- >
- >
- > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
- >
- > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
- >
- > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
-
-8. After activating the key, click **Commit**, and then click **Close**.
-
-## Verifying the configuration of Active Directory-based activation
-
-To verify your Active Directory-based activation configuration, complete the following steps:
-
-1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-3. If the computer is not joined to your domain, join it to the domain.
-4. Sign in to the computer.
-5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
-6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
-
- > [!NOTE]
- > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
- >
- > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
-
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
\ No newline at end of file
+---
+title: Activate using Active Directory-based activation (Windows 10)
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.custom: seo-marvel-apr2020
+ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
+manager: dougeby
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 01/13/2022
+ms.topic: article
+ms.collection: highpri
+---
+
+# Activate using Active Directory-based activation
+
+**Applies to**
+
+Windows 11
+Windows 10
+Windows 8.1
+Windows 8
+Windows Server 2012 R2
+Windows Server 2012
+Windows Server 2016
+Windows Server 2019
+Office 2021*
+Office 2019*
+Office 2016*
+Office 2013*
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
+- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
+
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
+
+Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
+
+To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+
+The process proceeds as follows:
+
+1. Perform one of the following tasks:
+ - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
+ - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
+
+2. Microsoft verifies the KMS host key, and an activation object is created.
+
+3. Client computers are activated by receiving the activation object from a domain controller during startup.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+ **Figure 10**. The Active Directory-based activation flow
+
+For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+
+If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
+
+Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
+
+When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
+
+## Step-by-step configuration: Active Directory-based activation
+
+> [!NOTE]
+> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
+
+**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
+
+1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
+
+2. Launch Server Manager.
+
+3. Add the Volume Activation Services role, as shown in Figure 11.
+
+ 
+
+ **Figure 11**. Adding the Volume Activation Services role
+
+4. Click the link to launch the Volume Activation Tools (Figure 12).
+
+ 
+
+ **Figure 12**. Launching the Volume Activation Tools
+
+5. Select the **Active Directory-Based Activation** option (Figure 13).
+
+ 
+
+ **Figure 13**. Selecting Active Directory-Based Activation
+
+6. Enter your KMS host key and (optionally) a display name (Figure 14).
+
+ 
+
+ **Figure 14**. Entering your KMS host key
+
+7. Activate your KMS host key by phone or online (Figure 15).
+
+ 
+
+ **Figure 15**. Choosing how to activate your product
+
+ > [!NOTE]
+ > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
+
+ >
+ >
+ > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
+ >
+ > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
+ >
+ > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
+ >
+ > - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
+
+8. After activating the key, click **Commit**, and then click **Close**.
+
+## Verifying the configuration of Active Directory-based activation
+
+To verify your Active Directory-based activation configuration, complete the following steps:
+
+1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
+2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+3. If the computer is not joined to your domain, join it to the domain.
+4. Sign in to the computer.
+5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
+
+ > [!NOTE]
+ > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
+ >
+ > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
+
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 5cbb5a3e71..75be38b908 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -162,7 +162,7 @@ After you download this file, the name will be extremely long (ex: 19042.508.200
The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
```powershell
-(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
```
The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
@@ -178,10 +178,10 @@ All VM data will be created under the current path in your PowerShell prompt. Co
>
>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
>- If you have never created an external VM switch before, then just run the commands below.
->- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
+>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
@@ -238,7 +238,6 @@ PS C:\autopilot>
Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
-


@@ -251,7 +250,6 @@ Make sure that the VM booted from the installation ISO, select **Next**, select

-
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:

@@ -279,12 +277,12 @@ Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
```powershell
- md c:\HWID
- Set-Location c:\HWID
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ New-Item -Type Directory -Path "C:\HWID"
+ Set-Location C:\HWID
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
- Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
```
1. When you're prompted to install the NuGet package, choose **Yes**.
@@ -349,7 +347,7 @@ Follow these steps to run the PowerShell script:
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**.
+Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.

@@ -616,7 +614,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index a43a8f75e9..7260afb4d5 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 12/03/2021
+ms.date: 01/18/2022
---
# Change the TPM owner password
@@ -46,7 +46,7 @@ Instead of changing your owner password, you can also use the following options
## Change the TPM owner password
-With Windows 10, version 1507 or 1511, or Windows 11, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
+With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index ace2bfd284..a9559b8677 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -48,6 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun
> [!NOTE]
-> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
+> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
>
-> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.
+> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index f815be18a8..4ee65904e9 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -173,7 +173,7 @@ For 4673(S, F): A privileged service was called.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
+- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details.
- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
@@ -193,4 +193,4 @@ For 4673(S, F): A privileged service was called.
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
-- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
\ No newline at end of file
+- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index c0a822af53..d64c7e44ba 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 01/18/2022
ms.technology: windows-sec
---
@@ -27,7 +27,7 @@ ms.technology: windows-sec
Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
-Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/sir/default.aspx).
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report).
Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 753623905e..91c71ff99f 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -52,4 +52,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as
## See Also
[What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
+[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 18d9c7bbea..f76ae48be7 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -18,6 +18,7 @@ ms.collection: highpri
**Applies to**
- Windows 11
+- Windows 10
Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.