Merge pull request #6133 from MicrosoftDocs/master

Publish 01/03/2022 3:30PM PT

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 12/03/2021
+ms.date: 01/03/2022
 ms.reviewer:
 manager: dansimp
 ms.collection: highpri
@@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th
 To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
 The following steps demonstrate required settings using the Intune service:
 
-1. Verify that the user who is going to enroll the device has a valid Intune license.
+1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license.
 
    :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
     ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 

windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 12/02/2020
+ms.date: 01/03/2022
 ms.reviewer: 
 manager: dansimp
 ---
@@ -3693,6 +3693,8 @@ ADMX Info:
 <!--Description-->
 This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
 
+We do not recommend setting the value to less than 2 days to prevent machines from going out of date.
+
 If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
 
 If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.

windows/client-management/mdm/policy-csp-notifications.md

@@ -31,6 +31,9 @@ manager: dansimp
   <dd>
     <a href="#notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
   </dd>
+  <dd>
+    <a href="#notifications-wnsendpoint">Notifications/WnsEndpoint</a>
+  </dd>
 </dl>
 
 
@@ -208,5 +211,77 @@ Validation:
 <!--/Policy-->
 <hr/>
 
+<!--Policy-->
+<a href="" id="notifications-wnsendpoint"></a>**Notifications/WnsEndpoint**  
 
-<!--/Policies-->
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. 
+
+If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
+
+Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint*
+-   GP name: *WnsEndpoint*
+-   GP path: *Start Menu and Taskbar/Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+If the policy is not specified, we will default our connection to client.wns.windows.com.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+<hr/>
+
+
+<!--/Policies-->

windows/client-management/mdm/policy-csp-settings.md

@@ -29,6 +29,9 @@ manager: dansimp
   <dd>
     <a href="#settings-allowdatetime">Settings/AllowDateTime</a>
   </dd>
+  <dd>
+    <a href="#settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
+  </dd>
   <dd>
     <a href="#settings-allowlanguage">Settings/AllowLanguage</a>
   </dd>
@@ -191,6 +194,68 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy disables edit device name option on Settings.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+Describes what value are supported in by this policy and meaning of each value, default value.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**  
 

windows/client-management/mdm/policy-csp-update.md

@@ -263,7 +263,7 @@ ms.collection: highpri
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12-hour maximum from start time.
 
 > [!NOTE]
 > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
@@ -358,7 +358,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12-hour maximum from end time.
 
 > [!NOTE]
 > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
@@ -426,8 +426,8 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
--   0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+-   0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
--   1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
+-   1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
 -   2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
 -   3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
 -   4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
@@ -992,8 +992,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-
+Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule.
-Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -1005,7 +1004,7 @@ ADMX Info:
 
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update.
+Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
 
 Default value is 7.
 <!--/SupportedValues-->
@@ -1045,8 +1044,7 @@ Default value is 7.
 
 <!--/Scope-->
 <!--Description-->
-
+Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule.
-Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@@ -1058,7 +1056,7 @@ ADMX Info:
 
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update.
+Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
 
 Default value is 7.
 <!--/SupportedValues-->
@@ -1098,8 +1096,7 @@ Default value is 7.
 
 <!--/Scope-->
 <!--Description-->
-
+When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used.
-Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1112,7 +1109,7 @@ ADMX Info:
 
 <!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached.
+Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update.
 
 Default value is 2.
 <!--/SupportedValues-->
@@ -1152,14 +1149,21 @@ Default value is 2.
 
 <!--/Scope-->
 <!--Description-->
-Allows IT admins to set different grace periods for both Quality Updates and Feature Updates. Specifically, when used with used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates).
 
-IT Admins will be able to specify a minimum number of days until restarts occur automatically for Featur Updates. Setting the grace period may extend the effective deadline set by the deadline policies specifically for Feature Updates.
+When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from  [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used.
 
 <!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Specify deadlines for automatic updates and restarts*
+-   GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates*
+-   GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates*
+-   GP path: *Administrative Templates\Windows Components\WindowsUpdate*
+-   GP ADMX file name: *WindowsUpdate.admx*
 
+<!--/ADMXMapped-->
 <!--SupportedValues-->
-Supports a numeric value from 0 - 7, which indicates the minimum number of days.
+Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update.
 
 Default value is 2.
 <!--/SupportedValues-->
@@ -1199,10 +1203,11 @@ Default value is 2.
 
 <!--/Scope-->
 <!--Description-->
+When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart.
 
-If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
+When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline.
 
-When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
+<same ADMX info and rest of description>
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -31,7 +31,7 @@ ms.technology: privacy
 
 This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
 
-Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
 
 > [!IMPORTANT]
 > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.

windows/security/threat-protection/auditing/event-4625.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: dansimp
-ms.date: 09/07/2021
+ms.date: 01/03/2022
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -23,7 +23,7 @@ ms.technology: windows-sec
 
 ***Event Description:***
 
-This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+This event is logged for any logon failure.
 
 It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
 
@@ -293,4 +293,4 @@ For 4625(F): An account failed to log on.
     | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”.                                                                                            |
     | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
     | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”.                                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”.                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”.                     |

windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 01/03/2022
 ms.technology: windows-sec
 ---
 
@@ -34,14 +34,14 @@ When devices are configured to accept authentication requests by using online ID
 > [!NOTE]
 > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
  
-This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
+This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
 
 ### Possible values
 
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
     > [!NOTE]
-    > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
+    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 
@@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis
 
 ### Best practices
 
-Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate.
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments.
 
 ### Location
 
@@ -66,7 +66,8 @@ The following table lists the effective default values for this policy. Default
 | Stand-alone server default settings | Not defined| 
 | Domain controller effective default settings | Disabled| 
 | Member server effective default settings | Disabled| 
-| Effective GPO default settings on client computers | Disabled| 
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled| 
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| 
  
 ## Security considerations