Merge branch 'main' into add_new_LAPS_CSP_docs

2025-06-22 22:03:46 +00:00 · 2022-09-19 14:22:19 -07:00
parent 895d6ab3e7 594e1310a4
commit bb4a8c4169
85 changed files with 687 additions and 1699 deletions
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@ -44,6 +44,3 @@ You can use the same management tools to manage all device types running Windows
 [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)

 [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
-
-Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
- 
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -52,8 +52,11 @@ Available naming macros:

 |Macro|Description|Example|Generated Name|
 |:---|:---|:---|:---|
-|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
-|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
+|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`|
+|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`|
+
+> [!NOTE]
+> If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters.

 Supported operation is Add.

--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -565,7 +565,7 @@ The data type is string.

 Default string is as follows:

-`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
+`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`

 Add **SDDL**

@ -1677,4 +1677,4 @@ To read a log file:

 ## Related topics

-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@ -2028,7 +2028,7 @@ The content below are the latest versions of the DDF files:
                    <Delete />
                    <Replace />
                  </AccessType>
-                  <Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
+                  <Description>SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
                  <DFFormat>
                    <chr />
                  </DFFormat>
@ -2178,9 +2178,3 @@ The content below are the latest versions of the DDF files:
  

  
-
-
-
-
-
-
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -219,7 +219,7 @@ Requirements:

 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.

-5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
+5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.

   If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.

--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -92,7 +92,7 @@ The XML below is the current version for this CSP.
            <AccessType>
              <Get />
            </AccessType>
-            <Description>Provides the current status of the device health request.  For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
+            <Description>Provides the current status of the device health request.  For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
            <DFFormat>
              <int />
            </DFFormat>
@ -456,9 +456,3 @@ The XML below is the current version for this CSP.
  

  
-
-
-
-
-
-
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -150,6 +150,15 @@ If you disable or don't configure this policy setting, the PIN will be provision

 Supported operations are Add, Get, Delete, and Replace.

+<a href="" id="tenantid-policies-usecloudtrustforonpremauth--only-for---device-vendor-msft-"></a>***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)  
+Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+
+If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+
+If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
+Supported operations are Add, Get, Delete, and Replace.
+
 <a href="" id="tenantid-policies-pincomplexity"></a>***TenantId*/Policies/PINComplexity**  
 Node for defining PIN settings.

--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
-   GP Friendly name: *Define security intelligence location for VDI clients*
+-   GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
 -   GP name: *SecurityIntelligenceLocation*
 -   GP element: *SecurityIntelligenceLocation*
-   GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
+-   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender*
 -   GP ADMX file name: *WindowsDefender.admx*

 <!--/ADMXMapped-->
 <!--SupportedValues-->

 - Empty string - no policy is set
- Non-empty string - the policy is set and security intelligence is gathered from the location
+- Non-empty string - the policy is set and security intelligence is gathered from the location.

 <!--/SupportedValues-->
 <!--/Policy-->
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver
 <!--SupportedValues-->
 The following list shows the supported values:

-   0 - Don't allow
+-   0 - Doesn't allow
 -   1 - Allow

 <!--/SupportedValues-->
@ -166,9 +166,9 @@ The table below shows the applicability of Windows:
 <!--Description-->
 This policy setting allows you to disable the infrastructure movement detection feature.

-If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure.
+- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure.

-If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session.
+- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session.

 The default value is 1.

@ -177,7 +177,7 @@ The default value is 1.

 The following list shows the supported values:

- 0 - Don't allow
+- 0 - Doesn't allow
 - 1 (Default) - Allow

 <!--/SupportedValues-->
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -322,10 +322,8 @@ Supported operation is Get.
 - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
 - Bit 1 - Set to 1 when the client machine is Hyper-V capable.
 - Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
 - Bit 4 - Set to 1 when required Network Isolation Policies are configured.
-   > [!IMPORTANT]
-   > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
 - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
 - Bit 6 - Set to 1 when system reboot is required.

@ -381,4 +379,4 @@ ADMX Info:

 ## Related topics

-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)