Merge branch 'privacy-update-vb' into danbrown-privacy-cobalt

windows/deployment/update/waas-wu-settings.md

@@ -11,7 +11,7 @@ ms.collection:
   - highpri
   - tier2
 ms.technology: itpro-updates
-ms.date: 03/09/2023
+ms.date: 04/25/2023
 ---
 
 # Manage additional Windows Update settings
@@ -35,6 +35,8 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
 | |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
+| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update <!--7679187-->|
+
 
 >[!IMPORTANT]
 >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@@ -47,7 +49,7 @@ Admins have a lot of flexibility in configuring how their devices scan and recei
 
 [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
 
-You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+You can make custom device groups that will work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
 
 Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
 
@@ -61,10 +63,10 @@ This setting lets you specify a server on your network to function as an interna
 To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
 
 If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
-If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
 
 The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
-The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
+The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service doesn't provide download Urls in the update metadata for files that are present on the alternate download server.
 
 >[!NOTE]
 >If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
@@ -109,7 +111,7 @@ Use **Computer Configuration\Administrative Templates\Windows Components\Windows
 Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or Configuration Manager.
 
 This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
-If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
+If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service, which uses it to determine which updates should be deployed to this computer.
 If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
 
 If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
@@ -123,8 +125,8 @@ This policy setting allows you to manage whether Automatic Updates accepts updat
 
 To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
 
-If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
+If you disable or don't configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
 
 >[!NOTE]
 >Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
@@ -136,7 +138,7 @@ To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](/windows/
 
 To add more flexibility to the update process, settings are available to control update installation.
 
-[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
+[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers aren't installed with the rest of the received updates.
 
 ### Do not include drivers with Windows Updates
 
@@ -144,7 +146,7 @@ Allows admins to exclude Windows Update drivers during updates.
 
 To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
 Enable this policy to not include drivers with Windows quality updates.
-If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
+If you disable or don't configure this policy, Windows Update will include updates that have a Driver classification.
 
 ### Configure Automatic Updates
 
@@ -156,13 +158,13 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo
 
 **2 - Notify for download and auto install** -  When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
 
-**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
+**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
 
 **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
 
-**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions. 
+**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. 
 
-**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. 
+**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they'll be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. 
 
 If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
 
@@ -173,7 +175,7 @@ If this setting is set to **Not Configured**, an administrator can still configu
 > [!NOTE]
 > Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
 
-In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
+In an environment that doesn't have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
 
 To do this, follow these steps:
 
@@ -203,7 +205,7 @@ To do this, follow these steps:
 
      * **4**: Automatically download and scheduled installation.
 
-     * **5**: Allow local admin to select the configuration mode. This option is not available for Windows 10 or later versions.
+     * **5**: Allow local admin to select the configuration mode. This option isn't available for Windows 10 or later versions.
 
      * **7**:  Notify for install and notify for restart. (Windows Server 2016 and later only)
 
@@ -230,7 +232,7 @@ To do this, follow these steps:
 
    * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
 
-     **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
+     **0** (false) or **1** (true). If set to **1**, Automatic Updates doesn't automatically restart a computer while users are logged on.
 
      > [!NOTE]
      > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
@@ -264,7 +266,7 @@ The organization name appears automatically for Windows 11 clients that are asso
 To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
 
    - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
-  -   **DWORD value name**: UsoDisableAADJAttribution
+  - **DWORD value name**: UsoDisableAADJAttribution
   - **Value data:** 1
 
 The following PowerShell script is provided as an example to you: 
@@ -280,3 +282,17 @@ if (!(Test-Path $registryPath))
 
 New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
 ```
+
+## Allow Windows updates to install before initial user sign-in
+*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update)* <!--7679187-->
+
+On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.  
+
+In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
+
+- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
+- **DWORD value name**: ScanBeforeInitialLogonAllowed
+- **Value data**: 1
+
+> [!Warning]
+> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time.

windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md

@@ -44,13 +44,16 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
 
-The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
+The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch:
 
 - Windows 10 (1809+)/11 Pro
 - Windows 10 (1809+)/11 Enterprise
 - Windows 10 (1809+)/11 Pro for Workstations
 
 > [!IMPORTANT]
+> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version). The devices must be on a [minimum Windows OS currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to keep receiving monthly security updates that are critical to security and the health Windows.
+
+> [!NOTE]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 
 ## Configuration Manager co-management requirements
@@ -58,9 +61,9 @@ The following Windows OS 10 editions, 1809+ builds and architecture are supporte
 Windows Autopatch fully supports co-management. The following co-management requirements apply:
 
 - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
-- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled:
+- Configuration Manager must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled and set to either **Pilot Intune** or **Intune**:
-	- Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
+	- [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies)
-	- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
+	- [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration)
-	- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
+	- [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps)
 
 For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -2,7 +2,7 @@
 title: Windows Hello errors during PIN creation
 description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
 ms.topic: troubleshooting
-ms.date: 03/31/2023
+ms.date: 04/24/2023
 ---
 
 # Windows Hello errors during PIN creation
@@ -22,7 +22,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 1. Try to create the PIN again. Some errors are transient and resolve themselves.
 2. Sign out, sign in, and try to create the PIN again.
 3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**.
+4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
 
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
@@ -31,21 +31,21 @@ If the error occurs again, check the error code against the following table to s
 | 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Azure AD and rejoin. |
 | 0x8009000F | The container or key already exists.                               | Unjoin the device from Azure AD and rejoin. |
 | 0x80090011 | The container or key was not found.                                | Unjoin the device from Azure AD and rejoin. |
-| 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
+| 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
 | 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
 | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
 | 0x80090035 | Policy requires TPM and the device does not have TPM.              | Change the Windows Hello for Business policy to not require a TPM. |
 | 0x80090036 | User canceled an interactive dialog.                               | User will be asked to try again. |
 | 0x801C0003 | User is not authorized to enroll.                                  | Check if the user has permission to perform the operation​. |
-| 0x801C000E | Registration quota reached.                                        | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
+| 0x801C000E | Registration quota reached.                                        | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
 | 0x801C000F | Operation successful, but the device requires a reboot.            | Reboot the device.               |
 | 0x801C0010 | The AIK certificate is not valid or trusted.                       | Sign out and then sign in again. |
 | 0x801C0011 | The attestation statement of the transport key is invalid.         | Sign out and then sign in again. |
 | 0x801C0012 | Discovery request is not in a valid format.                        | Sign out and then sign in again. |
-| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. |
+| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. |
-| 0x801C0016 | The federation provider configuration is empty                     | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
+| 0x801C0016 | The federation provider configuration is empty                     | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
-| 0x801C0017 | ​The federation provider domain is empty                            | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
+| 0x801C0017 | The federation provider domain is empty                            | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
-| 0x801C0018 | The federation provider client configuration URL is empty          | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
+| 0x801C0018 | The federation provider client configuration URL is empty          | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
 | 0x801C03E9 | Server response message is invalid                                 | Sign out and then sign in again. |
 | 0x801C03EA | Server failed to authorize user or device.                         | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
 | 0x801C03EB | Server response http status is not valid                           | Sign out and then sign in again. |
@@ -53,10 +53,11 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Azure AD under Azure AD Device settings.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| 
 | 0xC00000BB | Your PIN or this option is temporarily unavailable.                | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
 
 ## Errors with unknown mitigation
@@ -72,7 +73,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x80090020  | NTE\_FAIL |
 | 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
 | 0x8009002D  | NTE\_INTERNAL\_ERROR |
-| 0x801C0001  | ​ADRS server response is not in a valid format. |
+| 0x801C0001  | ADRS server response is not in a valid format. |
 | 0x801C0002  | Server failed to authenticate the user. |
 | 0x801C0006  | Unhandled exception from server. |
 | 0x801C000B  | Redirection is needed and redirected location is not a well known server. |
@@ -88,13 +89,3 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
 | 0xCAA30193  | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
 
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md

@@ -80,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to
 `<Networking>value</Networking>`
 
 Supported values:
+
 - *Enable*: Enables networking in the sandbox.
 - *Disable*: Disables networking in the sandbox.
 - *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
@@ -110,7 +111,6 @@ An array of folders, each representing a location on the host machine that will
 
 *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
 
-
 > [!NOTE]
 > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
 
@@ -136,6 +136,7 @@ Enables or disables audio input to the sandbox.
 `<AudioInput>value</AudioInput>`
 
 Supported values:
+
 - *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
 - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
 - *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
@@ -150,6 +151,7 @@ Enables or disables video input to the sandbox.
 `<VideoInput>value</VideoInput>`
 
 Supported values:
+
 - *Enable*: Enables video input in the sandbox.
 - *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
 - *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
@@ -164,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing
 `<ProtectedClient>value</ProtectedClient>`
 
 Supported values:
+
 - *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
 - *Disable*: Runs the sandbox in standard mode without extra security mitigations.
 - *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
@@ -178,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox.
 `<PrinterRedirection>value</PrinterRedirection>`
 
 Supported values:
+
 - *Enable*: Enables sharing of host printers into the sandbox.
 - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
 - *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
@@ -189,6 +193,7 @@ Enables or disables sharing of the host clipboard with the sandbox.
 `<ClipboardRedirection>value</ClipboardRedirection>`
 
 Supported values:
+
 - *Enable*: Enables sharing of the host clipboard with the sandbox.
 - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
 - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
@@ -202,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
 If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
 
 ## Example 1
+
 The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
 
 ### Downloads.wsb
@@ -233,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
 
 ### VSCodeInstall.cmd
 
-Download vscode to `downloads` folder and run from `downloads` folder
+Download vscode to `downloads` folder and run from `downloads` folder.
 
 ```batch
 REM Download Visual Studio Code
@@ -264,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
   </LogonCommand>
 </Configuration>
 ```
+
+## Example 3
+
+The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
+
+`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+<Configuration>
+  <MappedFolders>
+    <MappedFolder>
+      <HostFolder>C:\sandbox</HostFolder>
+      <SandboxFolder>C:\sandbox</SandboxFolder>
+      <ReadOnly>True</ReadOnly>
+    </MappedFolder>
+  </MappedFolders>
+  <LogonCommand>
+    <Command>powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1</Command>
+  </LogonCommand>
+</Configuration>
+```

windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md

@@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta
 Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
 
 Windows Sandbox has the following properties:
+
 - **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
 - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
 - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
@@ -33,12 +34,16 @@ Windows Sandbox has the following properties:
 
 ## Prerequisites
 
-- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
+- Windows 10, version 1903 and later, or Windows 11
-- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
+- Windows Pro, Enterprise or Education edition
+- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
 - Virtualization capabilities enabled in BIOS
 - At least 4 GB of RAM (8 GB recommended)
 - At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyperthreading recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition
 
 ## Installation
 
@@ -67,9 +72,10 @@ Windows Sandbox has the following properties:
 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
 
    > [!NOTE]
-   > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually.  
+   > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
 
 ## Usage
+
 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
 
 2. Run the executable file or installer inside the sandbox.