Merge branch 'main' into patch-2

windows/deployment/update/includes/wufb-reports-admin-center-permissions.md

@@ -5,7 +5,7 @@ manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
-ms.date: 08/18/2022
+ms.date: 03/15/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
@@ -15,7 +15,9 @@ To enroll into Windows Update for Business reports, edit configuration settings,
 - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
 - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
 - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
-   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center
+   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
+- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
+   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
 
 To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
   - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)

windows/deployment/update/includes/wufb-reports-verify-device-configuration.md

@@ -8,7 +8,7 @@ ms.topic: include
 ms.date: 08/10/2022
 ms.localizationpriority: medium
 ---
-<!--This file is shared by updates/wufb-reports-help.md and the update/wufb-reports-configuration-script.md articles. Headings are driven by article context.  -->
+<!--This file is used by update/wufb-reports-configuration-script.md articles. It was dropped from updates/wufb-reports-help.md. Headings are driven by article context.  -->
 
 In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:
 

windows/deployment/update/wufb-reports-prerequisites.md

@@ -6,7 +6,7 @@ ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.topic: article
-ms.date: 02/14/2023
+ms.date: 03/15/2023
 ms.technology: itpro-updates
 ---
 
@@ -32,8 +32,9 @@ Before you begin the process of adding Windows Update for Business reports to yo
 
 **Log Analytics permissions**:
 
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: 
 - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
-- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
+- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data 
 
 ## Operating systems and editions
 

windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md

@@ -68,11 +68,11 @@ For more information about how Windows diagnostic data is used, see:
 
 ## Tenant access
 
-Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.
 
 | Enterprise application name | Usage | Permissions |
 | ----- | ----- | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.ReadWrite.All</li></ul>|
+| Modern Workplace Management | The Modern Workplace Management application:<ul><li>Manages the service</li><li>Publishes baseline configuration updates</li><li>Maintains overall service health</li></ul> | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.ReadWrite.All</li></ul>|
 
 ### Service accounts
 

windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md

@@ -23,7 +23,7 @@ The following configuration details explain the changes made to your tenant when
 
 Enterprise applications are applications (software) that a business uses to do its work.
 
-Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.
 
 | Enterprise application name | Usage | Permissions |
 | ----- | ------ | ----- |