Merge pull request #8055 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/security/identity-protection/hello-for-business/hello-faq.yml

@@ -109,7 +109,7 @@ sections:
           - The PIN 9630 has a constant delta of (7,7,7), so it isn't allowed
           - The PIN 1593 has a constant delta of (4,4,4), so it isn't allowed
           - The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed
-          - The PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed
+          - The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed
           - The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed
           
           This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs.

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -33,7 +33,7 @@ Conditional Access Platform components used for Device Compliance include the fo
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
 
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
 
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
 
@@ -125,4 +125,4 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
+- [VPN profile options](vpn-profile-options.md)

windows/security/threat-protection/auditing/event-4769.md

@@ -194,7 +194,12 @@ The most common values:
 | 0x18                     | RC4-HMAC-EXP            | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
 | 0xFFFFFFFF or 0xffffffff | -                       | This type shows in Audit Failure events.                                          |
 
--   **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event:
+-   **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. 
+Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags:
+- 0x01: Audit SPN unknown errors.
+- 0x10: Log audit events on encryption type (ETYPE) and bad options errors.
+
+The table below contains the list of the most common error codes for this event:
 
 | Code | Code Name                              | Description                                                                 | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 |------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|