Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into copilot-xplat-8348943

windows/client-management/implement-server-side-mobile-application-management.md

@@ -1,29 +1,29 @@
 ---
-title: Support for mobile application management on Windows
+title: Support for Windows Information Protection (WIP) on Windows
-description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
+description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
 ms.topic: article
 ms.date: 08/10/2023
 ---
 
-# Support for mobile application management on Windows
+# Support for Windows Information Protection (WIP) on Windows
 
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
 
 [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
 
 ## Integration with Azure AD
 
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+WIP is integrated with Azure Active Directory (Azure AD) identity service. The WIP service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
 
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Entra ID account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
 
 On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
 
 Regular non administrator users can enroll to MAM.
 
-## Integration with Windows Information Protection
+## Understand Windows Information Protection
 
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
 
 To make applications WIP-aware, app developers need to include the following data in the app resource file.
 
@@ -74,7 +74,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
 
 ## Supported CSPs
 
-MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
+WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
 
 - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
 - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.

windows/client-management/mdm/devicepreparation-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -430,7 +430,7 @@ This node provides status of the Device Preparation page. Values are an enum: 0
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
-| Access Type | Get |
+| Access Type | Get, Replace |
 <!-- Device-PageStatus-DFProperties-End -->
 
 <!-- Device-PageStatus-AllowedValues-Begin -->

windows/client-management/mdm/devicepreparation-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -88,6 +88,7 @@ The following XML file contains the device description framework (DDF) for the D
       <DFProperties>
         <AccessType>
           <Get />
+          <Replace />
         </AccessType>
         <Description>This node provides status of the Device Preparation page.  Values are an enum: 0 = Disabled; 1 = Enabled;  2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
         <DFFormat>

windows/client-management/mdm/firewall-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3472,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@@ -3547,7 +3547,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-65535]` |
+| Allowed Values | Range: `[0-255]` |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-DFProperties-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Examples-Begin -->
@@ -3812,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@@ -3961,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@@ -3999,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4049,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4099,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4149,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@@ -4296,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@@ -4334,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4384,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4434,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4484,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@@ -4533,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@@ -4571,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4621,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4671,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4721,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->

windows/client-management/mdm/firewall-ddf-file.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3030,7 +3030,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="ENUM">
@@ -3064,7 +3064,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3257,7 +3257,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3450,7 +3450,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -4597,7 +4597,7 @@ If not specified the detault is OUT.</Description>
                 <MIME />
               </DFType>
               <MSFT:AllowedValues ValueType="Range">
-                <MSFT:Value>[0-65535]</MSFT:Value>
+                <MSFT:Value>[0-255]</MSFT:Value>
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
@@ -4833,7 +4833,7 @@ If not specified - a new rule is disabled by default.</Description>
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="Flag">

windows/client-management/mdm/passportforwork-csp.md

@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -32,6 +32,7 @@ The following list shows the PassportForWork configuration service provider node
 - ./Device/Vendor/MSFT/PassportForWork
   - [{TenantId}](#devicetenantid)
     - [Policies](#devicetenantidpolicies)
+      - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
       - [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
       - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
       - [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -164,6 +165,55 @@ Root node for policies.
 
 <!-- Device-{TenantId}-Policies-End -->
 
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Begin -->
+#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
+```
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-Begin -->
+<!-- Description-Source-DDF -->
+Disable caching of the Windows Hello for Business credential after sign-in.
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | False |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-End -->
+
 <!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Begin -->
 #### Device/{TenantId}/Policies/DisablePostLogonProvisioning
 

windows/client-management/mdm/passportforwork-ddf.md

@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -892,6 +892,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
             </MSFT:AllowedValues>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisablePostLogonCredentialCaching</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>False</DefaultValue>
+            <Description>Disable caching of the Windows Hello for Business credential after sign-in.</Description>
+            <DFFormat>
+              <bool />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:Applicability>
+              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:CspVersion>1.6</MSFT:CspVersion>
+            </MSFT:Applicability>
+            <MSFT:AllowedValues ValueType="ENUM">
+              <MSFT:Enum>
+                <MSFT:Value>false</MSFT:Value>
+                <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+              <MSFT:Enum>
+                <MSFT:Value>true</MSFT:Value>
+                <MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>UseCertificateForOnPremAuth</NodeName>
           <DFProperties>

windows/client-management/mdm/policies-in-policy-csp-admx-backed.md

@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2144,6 +2144,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
 - [EnableAllowedSources](policy-csp-desktopappinstaller.md)
 - [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
 
 ## DeviceInstallation
 
@@ -2416,7 +2417,10 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [IntranetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneLogonOptions](policy-csp-internetexplorer.md)
 - [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
 - [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
 - [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)

windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md

@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/25/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -383,10 +383,18 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@@ -394,11 +402,13 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
@@ -412,8 +422,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)

windows/client-management/mdm/policy-csp-applicationdefaults.md

@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->

windows/client-management/mdm/policy-csp-defender.md

@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1074,10 +1074,18 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
 - If you enable this setting, CPU utilization won't exceed the percentage specified.
 
 - If you disable or don't configure this setting, CPU utilization won't exceed the default value.
+
 <!-- AvgCPULoadFactor-Description-End -->
 
 <!-- AvgCPULoadFactor-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+
+> [!NOTE]
+> If you enable both of the following policies, then Windows ignores the value of **AvgCPULoadFactor**:
+> 
+> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
+> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
+
 <!-- AvgCPULoadFactor-Editable-End -->
 
 <!-- AvgCPULoadFactor-DFProperties-Begin -->
@@ -2902,7 +2910,9 @@ Valid remediation action values are:
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Links -->
 [TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+
 [TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
+
 <!-- Defender-CspMoreInfo-End -->
 
 <!-- Defender-End -->
@@ -2910,3 +2920,4 @@ Valid remediation action values are:
 ## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
+

windows/client-management/mdm/policy-csp-desktopappinstaller.md

@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- DesktopAppInstaller-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DesktopAppInstaller-Editable-End -->
@@ -723,6 +725,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
 
 <!-- EnableSettings-End -->
 
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Begin -->
+## EnableWindowsPackageManagerCommandLineInterfaces
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
+```
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| ADMX File Name | DesktopAppInstaller.admx |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-End -->
+
 <!-- SourceAutoUpdateInterval-Begin -->
 ## SourceAutoUpdateInterval
 

windows/client-management/mdm/policy-csp-internetexplorer.md

@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- InternetExplorer-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- InternetExplorer-Editable-End -->
@@ -7727,6 +7729,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- IntranetZoneJavaPermissions-End -->
 
+<!-- IntranetZoneLogonOptions-Begin -->
+## IntranetZoneLogonOptions
+
+<!-- IntranetZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- IntranetZoneLogonOptions-Applicability-End -->
+
+<!-- IntranetZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+<!-- IntranetZoneLogonOptions-OmaUri-End -->
+
+<!-- IntranetZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+<!-- IntranetZoneLogonOptions-Description-End -->
+
+<!-- IntranetZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Editable-End -->
+
+<!-- IntranetZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IntranetZoneLogonOptions-DFProperties-End -->
+
+<!-- IntranetZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_3 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
+| ADMX File Name | inetres.admx |
+<!-- IntranetZoneLogonOptions-AdmxBacked-End -->
+
+<!-- IntranetZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Examples-End -->
+
+<!-- IntranetZoneLogonOptions-End -->
+
 <!-- IntranetZoneNavigateWindowsAndFrames-Begin -->
 ## IntranetZoneNavigateWindowsAndFrames
 
@@ -8730,6 +8804,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- LocalMachineZoneJavaPermissions-End -->
 
+<!-- LocalMachineZoneLogonOptions-Begin -->
+## LocalMachineZoneLogonOptions
+
+<!-- LocalMachineZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- LocalMachineZoneLogonOptions-Applicability-End -->
+
+<!-- LocalMachineZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+<!-- LocalMachineZoneLogonOptions-OmaUri-End -->
+
+<!-- LocalMachineZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- LocalMachineZoneLogonOptions-Description-End -->
+
+<!-- LocalMachineZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Editable-End -->
+
+<!-- LocalMachineZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- LocalMachineZoneLogonOptions-DFProperties-End -->
+
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_9 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
+| ADMX File Name | inetres.admx |
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-End -->
+
+<!-- LocalMachineZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Examples-End -->
+
+<!-- LocalMachineZoneLogonOptions-End -->
+
 <!-- LocalMachineZoneNavigateWindowsAndFrames-Begin -->
 ## LocalMachineZoneNavigateWindowsAndFrames
 
@@ -17229,6 +17375,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- TrustedSitesZoneJavaPermissions-End -->
 
+<!-- TrustedSitesZoneLogonOptions-Begin -->
+## TrustedSitesZoneLogonOptions
+
+<!-- TrustedSitesZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- TrustedSitesZoneLogonOptions-Applicability-End -->
+
+<!-- TrustedSitesZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+<!-- TrustedSitesZoneLogonOptions-OmaUri-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- TrustedSitesZoneLogonOptions-Description-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Editable-End -->
+
+<!-- TrustedSitesZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- TrustedSitesZoneLogonOptions-DFProperties-End -->
+
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_5 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
+| ADMX File Name | inetres.admx |
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Examples-End -->
+
+<!-- TrustedSitesZoneLogonOptions-End -->
+
 <!-- TrustedSitesZoneNavigateWindowsAndFrames-Begin -->
 ## TrustedSitesZoneNavigateWindowsAndFrames
 

windows/client-management/mdm/policy-csp-update.md

@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/28/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -293,7 +293,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
 
 <!-- AllowOptionalContent-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
 <!-- AllowOptionalContent-Description-End -->
 
 <!-- AllowOptionalContent-Editable-Begin -->
@@ -1281,7 +1281,7 @@ If the status is set to Disabled or Not Configured, Windows will check for avail
 > If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
 
 > [!NOTE]
-> This policy isn't supported on %WINDOWS_ARM_VERSION_6_2%. Setting this policy won't have any effect on %WINDOWS_ARM_VERSION_6_2% PCs.
+> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
 <!-- DetectionFrequency-Description-End -->
 
 <!-- DetectionFrequency-Editable-Begin -->
@@ -1459,7 +1459,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-OmaUri-Begin -->
@@ -1528,7 +1528,7 @@ Configure this policy to specify whether to receive **Windows Driver Updates** f
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-OmaUri-Begin -->
@@ -1597,7 +1597,7 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-OmaUri-Begin -->
@@ -1666,7 +1666,7 @@ Configure this policy to specify whether to receive **Other Updates** from Windo
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-OmaUri-Begin -->

windows/client-management/mdm/policy-csp-windowslogon.md

@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/14/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -589,7 +589,6 @@ OverrideShellProgram policy allows IT admin to configure the shell program for W
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- OverrideShellProgram-DFProperties-End -->
 
 <!-- OverrideShellProgram-AllowedValues-Begin -->

windows/deployment/TOC.yml

@@ -124,16 +124,6 @@
                   href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
                 - name: In-place upgrade
                   href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
-            - name: Subscription Activation
-              items:
-                - name: Windows subscription activation
-                  href: windows-10-subscription-activation.md
-                - name: Windows Enterprise E3 in CSP
-                  href: windows-10-enterprise-e3-overview.md
-                - name: Configure VDA for subscription activation
-                  href: vda-subscription-activation.md
-                - name: Deploy Windows Enterprise licenses
-                  href: deploy-enterprise-licenses.md
         - name: Deploy Windows client updates
           items:
             - name: Assign devices to servicing channels
@@ -184,6 +174,109 @@
               href: update/deployment-service-drivers.md
           - name: Troubleshoot Windows Update for Business deployment service
             href: update/deployment-service-troubleshoot.md
+    - name: Activate
+      items:
+      - name: Windows subscription activation
+        href: windows-10-subscription-activation.md
+      - name: Windows Enterprise E3 in CSP
+        href: windows-10-enterprise-e3-overview.md
+      - name: Configure VDA for subscription activation
+        href: vda-subscription-activation.md
+      - name: Deploy Windows Enterprise licenses
+        href: deploy-enterprise-licenses.md
+      - name: Volume Activation 
+        items:
+        - name: Overview
+          href: volume-activation/volume-activation-windows-10.md
+        - name: Plan for volume activation 
+          href: volume-activation/plan-for-volume-activation-client.md
+        - name: Activate using Key Management Service 
+          href: volume-activation/activate-using-key-management-service-vamt.md
+        - name: Activate using Active Directory-based activation 
+          href: volume-activation/activate-using-active-directory-based-activation-client.md
+        - name: Activate clients running Windows 10
+          href: volume-activation/activate-windows-10-clients-vamt.md
+        - name: Monitor activation 
+          href: volume-activation/monitor-activation-client.md
+        - name: Use the Volume Activation Management Tool 
+          href: volume-activation/use-the-volume-activation-management-tool-client.md
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+      - name: Volume Activation Management Tool (VAMT)
+        items:
+        - name: VAMT technical reference
+          href: volume-activation/volume-activation-management-tool.md
+        - name: Introduction to VAMT
+          href: volume-activation/introduction-vamt.md
+        - name: Active Directory-Based Activation Overview
+          href: volume-activation/active-directory-based-activation-overview.md
+        - name: Install and Configure VAMT
+          items:
+          - name: Overview
+            href: volume-activation/install-configure-vamt.md
+          - name: VAMT Requirements
+            href: volume-activation/vamt-requirements.md
+          - name: Install VAMT
+            href: volume-activation/install-vamt.md
+          - name: Configure Client Computers
+            href: volume-activation/configure-client-computers-vamt.md
+        - name: Add and Manage Products
+          items:
+          - name: Overview
+            href: volume-activation/add-manage-products-vamt.md
+          - name: Add and Remove Computers
+            href: volume-activation/add-remove-computers-vamt.md
+          - name: Update Product Status
+            href: volume-activation/update-product-status-vamt.md
+          - name: Remove Products
+            href: volume-activation/remove-products-vamt.md
+        - name: Manage Product Keys
+          items:
+          - name: Overview
+            href: volume-activation/manage-product-keys-vamt.md
+          - name: Add and Remove a Product Key
+            href: volume-activation/add-remove-product-key-vamt.md
+          - name: Install a Product Key
+            href: volume-activation/install-product-key-vamt.md
+          - name: Install a KMS Client Key
+            href: volume-activation/install-kms-client-key-vamt.md
+        - name: Manage Activations
+          items:
+          - name: Overview
+            href: volume-activation/manage-activations-vamt.md
+          - name: Run Online Activation
+            href: volume-activation/online-activation-vamt.md
+          - name: Run Proxy Activation
+            href: volume-activation/proxy-activation-vamt.md
+          - name: Run KMS Activation
+            href: volume-activation/kms-activation-vamt.md
+          - name: Run Local Reactivation
+            href: volume-activation/local-reactivation-vamt.md
+          - name: Activate an Active Directory Forest Online
+            href: volume-activation/activate-forest-vamt.md
+          - name: Activate by Proxy an Active Directory Forest
+            href: volume-activation/activate-forest-by-proxy-vamt.md
+        - name: Manage VAMT Data
+          items:
+          - name: Overview
+            href: volume-activation/manage-vamt-data.md
+          - name: Import and Export VAMT Data
+            href: volume-activation/import-export-vamt-data.md
+          - name: Use VAMT in Windows PowerShell
+            href: volume-activation/use-vamt-in-windows-powershell.md
+          - name: VAMT Step-by-Step Scenarios
+            items:
+            - name: Overview
+              href: volume-activation/vamt-step-by-step.md
+            - name: "Scenario 1: Online Activation"
+              href: volume-activation/scenario-online-activation-vamt.md
+            - name: "Scenario 2: Proxy Activation"
+              href: volume-activation/scenario-proxy-activation-vamt.md
+            - name: "Scenario 3: KMS Client Activation"
+              href: volume-activation/scenario-kms-activation-vamt.md
+          - name: VAMT Known Issues
+            href: volume-activation/vamt-known-issues.md
+      - name: Information sent to Microsoft during activation
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
     - name: Monitor
       items:
       - name: Windows Update for Business reports
@@ -280,9 +373,9 @@
         - name: How does Windows Update work?
           href: update/how-windows-update-works.md
         - name: Windows client upgrade paths
-          href: upgrade/windows-10-upgrade-paths.md
+          href: upgrade/windows-upgrade-paths.md
         - name: Windows client edition upgrade
-          href: upgrade/windows-10-edition-upgrades.md
+          href: upgrade/windows-edition-upgrades.md
         - name: Deploy Windows 10 with Microsoft 365
           href: deploy-m365.md
         - name: Understand the Unified Update Platform
@@ -327,82 +420,6 @@
                       href: planning/security-and-data-protection-considerations-for-windows-to-go.md
                     - name: "Windows To Go: frequently asked questions"
                       href: planning/windows-to-go-frequently-asked-questions.yml
-        
-                - name: Volume Activation Management Tool (VAMT) technical reference
-                  items:
-                    - name: VAMT technical reference
-                      href: volume-activation/volume-activation-management-tool.md
-                    - name: Introduction to VAMT
-                      href: volume-activation/introduction-vamt.md
-                    - name: Active Directory-Based Activation Overview
-                      href: volume-activation/active-directory-based-activation-overview.md
-                    - name: Install and Configure VAMT
-                      items:
-                      - name: Overview
-                        href: volume-activation/install-configure-vamt.md
-                      - name: VAMT Requirements
-                        href: volume-activation/vamt-requirements.md
-                      - name: Install VAMT
-                        href: volume-activation/install-vamt.md
-                      - name: Configure Client Computers
-                        href: volume-activation/configure-client-computers-vamt.md
-                    - name: Add and Manage Products
-                      items:
-                      - name: Overview
-                        href: volume-activation/add-manage-products-vamt.md
-                      - name: Add and Remove Computers
-                        href: volume-activation/add-remove-computers-vamt.md
-                      - name: Update Product Status
-                        href: volume-activation/update-product-status-vamt.md
-                      - name: Remove Products
-                        href: volume-activation/remove-products-vamt.md
-                    - name: Manage Product Keys
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-product-keys-vamt.md
-                      - name: Add and Remove a Product Key
-                        href: volume-activation/add-remove-product-key-vamt.md
-                      - name: Install a Product Key
-                        href: volume-activation/install-product-key-vamt.md
-                      - name: Install a KMS Client Key
-                        href: volume-activation/install-kms-client-key-vamt.md
-                    - name: Manage Activations
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-activations-vamt.md
-                      - name: Run Online Activation
-                        href: volume-activation/online-activation-vamt.md
-                      - name: Run Proxy Activation
-                        href: volume-activation/proxy-activation-vamt.md
-                      - name: Run KMS Activation
-                        href: volume-activation/kms-activation-vamt.md
-                      - name: Run Local Reactivation
-                        href: volume-activation/local-reactivation-vamt.md
-                      - name: Activate an Active Directory Forest Online
-                        href: volume-activation/activate-forest-vamt.md
-                      - name: Activate by Proxy an Active Directory Forest
-                        href: volume-activation/activate-forest-by-proxy-vamt.md
-                    - name: Manage VAMT Data
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-vamt-data.md
-                      - name: Import and Export VAMT Data
-                        href: volume-activation/import-export-vamt-data.md
-                      - name: Use VAMT in Windows PowerShell
-                        href: volume-activation/use-vamt-in-windows-powershell.md
-                    - name: VAMT Step-by-Step Scenarios
-                      items:
-                      - name: Overview
-                        href: volume-activation/vamt-step-by-step.md
-                      - name: "Scenario 1: Online Activation"
-                        href: volume-activation/scenario-online-activation-vamt.md
-                      - name: "Scenario 2: Proxy Activation"
-                        href: volume-activation/scenario-proxy-activation-vamt.md
-                      - name: "Scenario 3: KMS Client Activation"
-                        href: volume-activation/scenario-kms-activation-vamt.md
-                    - name: VAMT Known Issues
-                      href: volume-activation/vamt-known-issues.md
-        
                 - name: User State Migration Tool (USMT) technical reference
                   items:
                     - name: USMT overview articles
@@ -570,25 +587,6 @@
                     href: planning/testing-your-application-mitigation-packages.md
                   - name: Use the Sdbinst.exe Command-Line Tool
                     href: planning/using-the-sdbinstexe-command-line-tool.md
-                - name: Volume Activation 
-                  items:
-                  - name: Overview
-                    href: volume-activation/volume-activation-windows-10.md
-                  - name: Plan for volume activation 
-                    href: volume-activation/plan-for-volume-activation-client.md
-                  - name: Activate using Key Management Service 
-                    href: volume-activation/activate-using-key-management-service-vamt.md
-                  - name: Activate using Active Directory-based activation 
-                    href: volume-activation/activate-using-active-directory-based-activation-client.md
-                  - name: Activate clients running Windows 10
-                    href: volume-activation/activate-windows-10-clients-vamt.md
-                  - name: Monitor activation 
-                    href: volume-activation/monitor-activation-client.md
-                  - name: Use the Volume Activation Management Tool 
-                    href: volume-activation/use-the-volume-activation-management-tool-client.md
-                - name: "Appendix: Information sent to Microsoft during activation "
-                  href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
-
         - name: Install fonts in Windows client
           href: windows-10-missing-fonts.md
         - name: Customize Windows PE boot images

windows/deployment/upgrade/windows-edition-upgrades.md

@@ -31,7 +31,7 @@ For a comprehensive list of all possible upgrade paths to Windows, see [Windows
 
 The following table shows the methods and paths available to change the edition of Windows that is running on your computer.
 
-| Edition upgrade | MDM | Provisioning package | Command-line tool | Manually entering product key |
+| Edition upgrade | MDM | Provisioning<br>package | Command-<br>line tool | Manually entering<br>product key |
 |-----| ----- | ----- | ----- | ----- |
 | **Home > Pro** | ❌ | ❌ | ❌ | ☑️ |
 | **Home > Pro for Workstations** | ❌ | ❌ | ❌ | ☑️|
@@ -51,22 +51,22 @@ The following table shows the methods and paths available to change the edition
 - ☑️ = Supported, but reboot required.
 - ❌ = Not supported.
 - MDM = Modern device management.
-- Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
 
 > [!NOTE]
 >
-> Edition upgrades via Microsoft Store for Business are no longer available with the [retirement of Microsoft Store for Business](/announcements/microsoft-store-for-business-education-retiring).
+> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
+>
+> - Edition upgrades via Microsoft Store for Business are no longer available with the retirement of the Microsoft Store for Business. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring) and [Microsoft Store for Business and Microsoft Store for Education overview](/microsoft-store/microsoft-store-for-business-overview).
 
 > [!TIP]
->
+> Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
-> - For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
->
-> - Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
 
 ## Upgrade using modern device management (MDM)
 
 To upgrade desktop editions of Windows using MDM, enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
 
+For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
+
 ## Upgrade using a provisioning package
 
 Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition of Windows. Windows Configuration Designer is available as part of the Windows Assessment and Deployment Kit (Windows ADK) or as a stand-alone Microsoft Store app. Download the Windows Configuration Designer from one of the following locations:
@@ -178,11 +178,7 @@ The following scenarios aren't supported:
 
 ## Supported Windows downgrade paths
 
-- Yes = Supported downgrade path.
+| Edition | Home | Pro | Pro for<br> Workstations | Pro<br>Education | Education | Enterprise<br>LTSC | Enterprise |
-- No = not supported or not a downgrade.
-- \- = Not considered a downgrade or an upgrade.
-
-| Edition | Home | Pro | Pro for Workstations | Pro Education | Education | Enterprise LTSC | Enterprise |
 |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
 | **Home** | - | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
 | **Pro** | ❌ | - | ❌ | ❌ | ❌ | ❌ | ❌ |
@@ -192,7 +188,13 @@ The following scenarios aren't supported:
 | **Enterprise LTSC** | ❌ | ❌ | ❌ | ❌ | ❌ | - | ❌ |
 | **Enterprise** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
 
-**Windows N/KN**: Windows **N** and **KN** SKUs follow the same rules shown in the table.
+- ✅ = Supported downgrade path.
+- ❌ = not supported or not a downgrade.
+- \- = Not considered a downgrade or an upgrade.
+
+> [!NOTE]
+>
+> Windows **N** and Windows **KN** SKUs follow the same rules shown in the table.
 
 The table may not represent more complex scenarios. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key. You can then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
 

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 09/11/2023 
+ms.date: 10/04/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -33,6 +33,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Message center post number | Description |
 | ----- | ----- |
+| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
+| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
 | [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
 | [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1933,7 +1933,7 @@ To turn off these recommendations, you can use any of the following methods:
 - In Group Policy, set the "Remove Recommended from Start Menu" policy to Enabled under **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
 - In an MDM solution, such as Microsoft Intune, you can use the [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP).
 - In the registry, you can set **HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs** to 0.
-- In the UI, you can turn off **Show recommendations for tips, shortcuts, new apps, and more** under **Settings** > **Personalization** > **Start**.
+- In the UI, you can turn off **Show recently opened items in Start, Jump Lists, and File Explorer** under **Settings** > **Personalization** > **Start**.
 
 ### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
 

windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md

@@ -1,9 +1,8 @@
 ---
 title: Windows Hello for Business cloud-only deployment
 description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 06/23/2021
+ms.date: 10/03/2023
 ms.topic: how-to
-ms.custom: has-azure-ad-ps-ref
 ---
 # Cloud-only deployment
 
@@ -11,34 +10,34 @@ ms.custom: has-azure-ad-ps-ref
 
 ## Introduction
 
-When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, there's no additional configuration needed.
+When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
 
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
+You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of an Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
 
-Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
-Check and view this setting with the following MSOnline PowerShell command:
+```powershell
+Connect-MgGraph
+$DomainId = "<your federated domain name>"
+Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
+```
 
-`Get-MsolDomainFederationSettings -DomainName <your federated domain name>`
+To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain.
 
-To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
+```powershell
+Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
+```
 
-`Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
+If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
-
-Example:
-
-`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
-
-If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
 
 ## Use Intune to disable Windows Hello for Business enrollment
 
@@ -63,7 +62,7 @@ If you don't use Intune in your organization, then you can disable Windows Hello
 
 Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -83,12 +82,3 @@ These registry settings can be applied from Local or Group Policies:
 - Value = **0** for Disable or Value = **1** for Enable
 
 If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
-
-## Related reference documents for Azure AD join scenarios
-
-- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join)
-- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
-- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
-- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin)
-- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
-- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)

windows/security/identity-protection/web-sign-in/index.md

@@ -87,7 +87,8 @@ Here's a list of key scenarios supported by Web sign-in, and a brief animation s
 :::row-end:::
 
 > [!TIP]
-> When used in conjuction with *Windows Hello for Business passworless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+> When used in conjuction with *Windows Hello for Business passwordless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+
 To learn more:
 - [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
 - [Passwordless authentication options for Microsoft Entra ID][AAD-2]