Merge branch 'main' into WDAC-Docs

2025-05-12 13:27:23 +00:00 · 2022-08-09 10:11:22 -05:00 · 2022-08-09 10:11:22 -05:00 · 9ef0457e56
commit 9ef0457e56
parent a500a48dcd 680738fae6
12 changed files with 294 additions and 114 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -19590,6 +19590,11 @@
      "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation",
      "redirect_document_id": false
     },
 	 {
      "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md",
      "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq",
      "redirect_document_id": false
 	 },
     {
      "source_path": "windows/security/identity-protection/access-control/security-identifiers.md",
      "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers",
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@ -7,7 +7,11 @@
          href: waas-delivery-optimization.md
        - name: What's new
          href: whats-new-do.md
        - name: Delivery Optimization Frequently Asked Questions
          href: waas-delivery-optimization-faq.yml
    - name: Configure Delivery Optimization
      items:
        - name: Configure Windows Clients
@ -15,7 +19,7 @@
            - name: Windows Delivery Optimization settings
              href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
            - name: Windows Delivery Optimization Frequently Asked Questions
-              href: ../update/waas-delivery-optimization-faq.md
+              href: ../do/waas-delivery-optimization-faq.yml
        - name: Configure Microsoft Endpoint Manager
          items:
            - name: Delivery Optimization settings in Microsoft Intune
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@ -33,5 +33,5 @@ This article lists the endpoints that need to be allowed through the firewall to
 | *.statics.teams.cdn.office.net |  HTTP / 80 </br> HTTPs / 443  | Teams | | Microsoft Endpoint Configuration Manager Distribution Point |
 | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com |  HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point |
 | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com |  HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates.  | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.do.dsp.mp.microsoft.com |  HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only.  | Microsoft Connected Cache Managed in Azure |
+| *.do.dsp.mp.microsoft.com |  HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only.  | Microsoft Connected Cache Managed in Azure |
 | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com |  AMQP / 5671 </br>  MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@ -49,7 +49,7 @@ landingContent:
          - text: Troubleshoot Delivery Optimization
            url: waas-delivery-optimization-setup.md#troubleshooting
          - text: Delivery Optimization Frequently Asked Questions
-            url: ../update/waas-delivery-optimization-faq.md
+            url: ../do/waas-delivery-optimization-faq.yml
          - text: Submit feedback
            url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@ -0,0 +1,108 @@
 ### YamlMime:FAQ
 metadata:
  title: Delivery Optimization Frequently Asked Questions
  description: The following is a list of frequently asked questions for Delivery Optimization.
  ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
  ms.reviewer: aaroncz
  ms.prod: m365-security
  ms.mktglfcycl: explore
  ms.sitesec: library
  ms.pagetype: security
  ms.localizationpriority: medium
  author: carmenf
  ms.author: carmenf
  manager: dougeby
  audience: ITPro
  ms.collection:
    - M365-security-compliance
    - highpri
  ms.topic: faq
  ms.date: 08/04/2022
  ms.custom: seo-marvel-apr2020
 title: Delivery Optimization Frequently Asked Questions
 summary: |
  **Applies to**
  -   Windows 10
  -   Windows 11
 sections:
  - name: Ignored
    questions:
      - question: Does Delivery Optimization work with WSUS?
        answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
      - question: Which ports does Delivery Optimization use?
        answer: | 
          Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
          Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
          Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
      - question: What are the requirements if I use a proxy?
        answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
      - question: What hostnames should I allow through my firewall to support Delivery Optimization?
        answer: | 
          **For communication between clients and the Delivery Optimization cloud service**:
          - `*.do.dsp.mp.microsoft.com`
          **For Delivery Optimization metadata**:
          - `*.dl.delivery.mp.microsoft.com`
          - `*.emdl.ws.microsoft.com`
          **For the payloads (optional)**:
          - `*.download.windowsupdate.com`
          - `*.windowsupdate.com`
          **For group peers across multiple NATs (Teredo)**:
          - `win1910.ipv6.microsoft.com`
          For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
      - question: Does Delivery Optimization use multicast?
        answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
      - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
        answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
      - question: How does Delivery Optimization handle VPNs?
        answer: |
          Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
          If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
          If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
          With split tunneling, make sure to allow direct access to these endpoints:
          Delivery Optimization service endpoint:
          - `https://*.prod.do.dsp.mp.microsoft.com`
          Delivery Optimization metadata:
          - `http://emdl.ws.microsoft.com`
          - `http://*.dl.delivery.mp.microsoft.com`
          Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
          - `http://*.windowsupdate.com`
          - `https://*.delivery.mp.microsoft.com`
          - `https://*.update.microsoft.com`
          - `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
          For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
      - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
        answer: |
          Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
          > [!NOTE]
          > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
--- a/windows/deployment/update/waas-delivery-optimization-faq.md
+++ b/windows/deployment/update/waas-delivery-optimization-faq.md
@ -1,101 +0,0 @@
 ---
 title: Delivery Optimization Frequently Asked Questions
 ms.reviewer: aaroncz
 manager: dougeby
 description: The following is a list of frequently asked questions for Delivery Optimization.
 ms.prod: w10
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 ms.collection: M365-modern-desktop
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ---
 # Delivery Optimization Frequently Asked Questions
 **Applies to**
 - Windows 10
 - Windows 11
 ## Does Delivery Optimization work with WSUS?
 Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
 ## Which ports does Delivery Optimization use?
 Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
 Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
 Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
 ## What are the requirements if I use a proxy?
 For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
 ## What hostnames should I allow through my firewall to support Delivery Optimization?
 **For communication between clients and the Delivery Optimization cloud service**:
 - `*.do.dsp.mp.microsoft.com`
 **For Delivery Optimization metadata**:
 - `*.dl.delivery.mp.microsoft.com`
 - `*.emdl.ws.microsoft.com`
 **For the payloads (optional)**:
 - `*.download.windowsupdate.com`
 - `*.windowsupdate.com`
 **For group peers across multiple NATs (Teredo)**:
 - `win1910.ipv6.microsoft.com`
 For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
 ## Does Delivery Optimization use multicast?
 No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
 ## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
 Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
 ## How does Delivery Optimization handle VPNs?
 Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
 If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
 If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
 With split tunneling, make sure to allow direct access to these endpoints:
 Delivery Optimization service endpoint:
 - `https://*.prod.do.dsp.mp.microsoft.com`
 Delivery Optimization metadata:
 - `http://emdl.ws.microsoft.com`
 - `http://*.dl.delivery.mp.microsoft.com`
 Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
 - `http://*.windowsupdate.com`
 - `https://*.delivery.mp.microsoft.com`
 - `https://*.update.microsoft.com`
 - `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
 For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
 ## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
 Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
 > [!NOTE]
 > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@ -35,7 +35,7 @@
    - name: Operate
      href: operate/index.md
      items:
-        - name: Update management
+        - name: Software update management
          href: operate/windows-autopatch-update-management.md
          items:
            - name: Windows updates
@ -79,6 +79,8 @@
              href: operate/windows-autopatch-wqu-unsupported-policies.md
            - name: Microsoft 365 Apps for enterprise update policies
              href: references/windows-autopatch-microsoft-365-policies.md
        - name: Changes made at tenant enrollment
          href: references/windows-autopatch-changes-to-tenant.md
        - name: Privacy
          href: references/windows-autopatch-privacy.md
        - name: Windows Autopatch preview addendum
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s
 Once these actions are complete, you've now successfully enrolled your tenant.
 > [!NOTE]
 > For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
 ### Delete data collected from the Readiness assessment tool
 You can choose to delete the data we collect directly within the Readiness assessment tool.
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@ -0,0 +1,161 @@
 ---
 title: Changes made at tenant enrollment
 description:  This reference article details the changes made to your tenant when enrolling into Windows Autopatch
 ms.date: 08/08/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: reference
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 msreviewer: hathind
 ---
 # Changes made at tenant enrollment
 ## Service principal
 Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
 - Modern Workplace Customer APIs
 ## Azure Active Directory groups
 Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts.
 | Group name | Description |
 | ----- | ----- |
 | Modern Workplace-All | All Modern Workplace users |
 | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. |
 | Modern Workplace Devices-All | All Modern Workplace devices |
 | Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout |
 | Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters |
 | Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption |
 | Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization |
 | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -notStartsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 11</li></ul>  |
 | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -startsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 10</li></ul> |
 | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
 | Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role |
 | Modern Workplace Service - Intune Admin All | Group for Intune Admins<p>Assigned to: <ul><li>Modern Workplace Service Accounts</li></ul>|
 | Modern Workplace Service - Intune Reader All | Group for Intune readers<p>Assigned to: <ul><li>Modern Workplace Service Accounts</li></ul>|
 | Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users<p>Assigned to:<ul><li>Modern Workplace Service Accounts</li></ul>| 
 | Modern Workplace Service Accounts | Group for Windows Autopatch service accounts |
 | Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch |
 ## Windows Autopatch enterprise applications
 Enterprise applications are applications (software) that a business uses to do its work.
 Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
 | Enterprise application name | Usage | Permissions |
 | ----- | ------ | ----- |
 | Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
 > [!NOTE]
 > Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
 ## Windows Autopatch cloud service accounts  
 Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls.
 > [!NOTE]
 > Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition.
 | Cloud service account name | Usage | Mitigating controls |
 | ----- | ----- | ------ |
 | MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.</li><li>This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.</li></ul> | Audited sign-ins |
 | MsAdminInt@tenantDomain.onmicrosoft.com | <ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.</li><li>This account is used for interactive sign-in to the customers’ tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).</li> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.</li><li>Audited sign-ins</li></ul> |
 | MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
 ## Device configuration policies
 - Modern Workplace - Set MDM to Win Over GPO
 - Modern Workplace - Telemetry Settings for Windows 10
 - Modern Workplace - Telemetry Settings for Windows 11
 - Modern Workplace-Window Update Detection Frequency
 - Modern Workplace - Data Collection
 | Policy name | Policy description | OMA | Value |
 | ----- | ----- | ----- | ----- |
 | Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
 | Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 |
 | Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ul><li>[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ul>|<ul><li>3</li><li>1</li><li>1</li><li>1</li> |
 | Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
 | Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul> | | |
 ## Update rings for Windows 10 and later
 - Modern Workplace Update Policy [Test]-[Windows Autopatch]
 - Modern Workplace Update Policy [First]-[Windows Autopatch]
 - Modern Workplace Update Policy [Fast]-[Windows Autopatch]
 - Modern Workplace Update Policy [Broad]-[Windows Autopatch]
 | Policy name | Policy description | OMA | Value |
 | ----- | ----- | ----- | ----- |
 | Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>0</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>0</li><li>0</li><li>False</li><li>False</li>|
 | Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring <p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>1</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li>|
 | Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>6</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li>|
 | Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>9</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>5</li><li>2</li><li>False</li><li>False</li>|
 ## Feature update policies
 - Modern Workplace DSS Policy [Test]
 - Modern Workplace DSS Policy [First]
 - Modern Workplace DSS Policy [Fast]
 - Modern Workplace DSS Policy [Broad]
 - Modern Workplace DSS Policy [Windows 11]
 | Policy name | Policy description | Value |
 | ----- | ----- | ----- |
 | Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
 | Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
 | Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
 | Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
 | Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
 ## Microsoft Office update policies
 - Modern Workplace - Office ADMX Deployment
 - Modern Workplace - Office Configuration v5
 - Modern Workplace - Office Update Configuration [Test]
 - Modern Workplace - Office Update Configuration [First]
 - Modern Workplace - Office Update Configuration [Fast]
 - Modern Workplace - Office Update Configuration [Broad]
 | Policy name | Policy description | OMA | Value |
 | ----- | ----- | ----- | ----- |
 | Modern Workplace - Office ADMX Deployment | ADMX file for Office<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul> | | |
 | Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
 | Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
 | Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul> | <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
 | Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>| <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 3</li>|
 | Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline<br>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 7</li> |
 ## Microsoft Edge update policies
 - Modern Workplace - Edge Update ADMX Deployment
 - Modern Workplace - Edge Update Channel Stable
 - Modern Workplace - Edge Update Channel Beta
 | Policy name | Policy description | OMA | Value |
 | ----- | ----- | ----- | ----- |
 | Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
 | Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
 | Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test </li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
 ## Conditional access policies
 > [!NOTE]
 > Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition.
 | Conditional access policy | Description |
 | ----- | ----- |
 | Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. |
 ## PowerShell scripts
 | Script | Description |
 | ----- | ----- |
 | Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service |
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@ -70,6 +70,8 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
 | 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.|
 ## Errors with unknown mitigation
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@ -2,7 +2,7 @@
 title: Interactive Logon Message text (Windows 10)
 description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
 ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer: 
+ms.reviewer:
 ms.author: dansimp
 ms.prod: m365-security
 ms.mktglfcycl: deploy
@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte
 **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in.
-**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
+**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
 Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
 When these policy settings are configured, users will see a dialog box before they can sign in to the server console.
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@ -2,7 +2,7 @@
 title: Interactive logon Message title for users attempting to log on (Windows 10)
 description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
 ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer: 
+ms.reviewer:
 ms.author: dansimp
 ms.prod: m365-security
 ms.mktglfcycl: deploy
@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c
 This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
-The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on.
+The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
 Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
 When these policy settings are configured, users will see a dialog box before they can sign in the server console.
@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th
 ### Best practices
-1.  It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values:
+1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
   - RESTRICTED SYSTEM