Merge branch 'main' into FAQ_March2022

windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md

@@ -120,7 +120,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
       |--------------|----------------------------|----------------|
       | Add element  | Specifies which products and languages the package will include.     | N/A     |
       | **OfficeClientEdition** (attribute of **Add** element) | Specifies whether Office 2016 32-bit or 64-bit edition will be used. **OfficeClientEdition**  must be set to a valid value for the operation to succeed.     | `OfficeClientEdition="32"`<br>`OfficeClientEdition="64"`  |
-      | Product element   | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](/office365/troubleshoot/installation).   | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
+      | Product element   | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](/office365/troubleshoot/installation/product-ids-supported-office-deployment-click-to-run).   | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
       | Language element     | Specifies which language the applications support.    | `Language ID="en-us"`   |
       | Version (attribute of **Add** element) | Optional. Specifies which build the package will use.<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source).   | `16.1.2.3`    |
       | SourcePath (attribute of **Add** element)   | Specifies the location the applications will be saved to.    | `Sourcepath = "\\Server\Office2016"`     |

windows/client-management/advanced-troubleshooting-boot-problems.md

@@ -15,6 +15,8 @@ ms.collection: highpri
 
 # Advanced troubleshooting for Windows boot problems
 
+<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
+
 > [!NOTE]
 > This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
 

windows/client-management/mdm/vpnv2-csp.md

@@ -771,7 +771,9 @@ Reserved for future use.
 Reserved for future use.
 
 <a href="" id="vpnv2-profilename-nativeprofile-cryptographysuite"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/CryptographySuite**  
-Added in Windows 10, version 1607. Properties of IPSec tunnels.
+Added in Windows 10, version 1607. Properties of IPSec tunnels. 
+
+[!NOTE] If you specify any of the properties under CryptographySuite, you must specify all of them. It's not valid to specify just some of the properties.
 
 <a href="" id="vpnv2-profilename-nativeprofile-cryptographysuite-authenticationtransformconstants"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/CryptographySuite/AuthenticationTransformConstants**  
 Added in Windows 10, version 1607.

windows/configuration/provisioning-packages/provisioning-packages.md

@@ -79,7 +79,7 @@ The following table describes settings that you can configure using the wizards
 | Set up device | Assign device name, enter product key to upgrade Windows, configure shared used, remove pre-installed software | ✔️ | ✔️ | ✔️ |
 | Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
 | Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
-| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). | ❌ | ❌ | ❌ |
+| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory using Bulk Token</br></br> [Set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Azure AD enrollment,. | ✔️ | ✔️ | ✔️ |
 | Add applications | Install applications using the provisioning package.  | ✔️ | ✔️ | ❌ |
 | Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
 | Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |

windows/deployment/update/windows-update-troubleshooting.md

@@ -20,6 +20,8 @@ ms.collection: highpri
 -   Windows 10
 -   Windows 11
 
+<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=wu" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows Update issues</span>
+
 If you run into problems when using Windows Update, start with the following steps: 
  
 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. 

windows/deployment/windows-10-subscription-activation.md

@@ -125,6 +125,8 @@ If the device is running Windows 10, version 1809 or later:
 
    ![Subscription Activation with MFA example 3.](images/sa-mfa3.png)
 
+Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue.
+
 ### Windows 10/11 Education requirements
 
 - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1,5 +1,5 @@
 ---
-title: Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
+title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services
 description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
 ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
 ms.reviewer:

windows/security/identity-protection/access-control/access-control.md

@@ -131,7 +131,7 @@ For more information about user rights, see [User Rights Assignment](/windows/de
 
 With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
 
-For more information about auditing, see [Security Auditing Overview](/windows/device-security/auditing/security-auditing-overview).
+For more information about auditing, see [Security Auditing Overview](/windows/security/threat-protection/auditing/security-auditing-overview).
 
 ## See also
 

windows/security/identity-protection/hello-for-business/hello-deployment-issues.md

@@ -29,7 +29,7 @@ Applies to:
 - Windows 10, version 1803 and later
 - Windows 11
 
-PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now".
+PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
 
 ### Identifying Azure AD joined PIN Reset Allowed Domains Issue
 
@@ -57,11 +57,11 @@ In Hybrid key trust deployments with domain controllers running certain builds o
 
 After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key will be written to the msDS-KeyCredentialLink attribute of the user object.
 
-Before the user's Windows Hello for Business key is synced, sign-in's with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* After the sync is successful, the user should be able to login and unlock with their PIN or enrolled biometrics.
+Before the user's Windows Hello for Business key is synced, sign-in's with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* After the sync is successful, the user should be able to log in and unlock with their PIN or enrolled biometrics.
 
 In environments impacted with this issue, after the first sign-in with Windows Hello for Business after provisioning is completed, the next sign-in attempt will fail. In environments where domain controllers are running a mix of builds, only some may be impacted by this issue and subsequent logon attempts may be sent different domain controllers. This may result in the sign-in failures appearing to be intermittent.
 
-After the initial logon attempt, the user's Windows Hello for Business public key is being deleted from the msDS-KeyCredentialLink attribute. This can be verified by querying a user's msDS-KeyCredentialLink attribute before and after sign-in. The msDS-KeyCredentialLink can be queried in AD using [Get-ADUser](/powershell/module/addsadministration/get-aduser) and specifying *msds-keycredentiallink* for the *-Properties* parameter.
+After the initial logon attempt, the user's Windows Hello for Business public key is being deleted from the msDS-KeyCredentialLink attribute. This can be verified by querying a user's msDS-KeyCredentialLink attribute before and after sign-in. The msDS-KeyCredentialLink can be queried in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying *msds-keycredentiallink* for the *-Properties* parameter.
 
 ### Resolving User Public Key Deletion Issue
 

windows/security/information-protection/encrypted-hard-drive.md

@@ -21,6 +21,7 @@ ms.date: 04/02/2019
 - Windows Server 2022
 - Windows Server 2019
 - Windows Server 2016
+- Azure Stack HCI
 
 Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
 
@@ -32,8 +33,8 @@ Encrypted Hard Drives provide:
 
 -   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
 -   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
--   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
--   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+-   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
+-   **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
 
 Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
 
@@ -77,13 +78,13 @@ Rapid encryption in BitLocker directly addresses the security needs of enterpris
 Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:
 
 -   **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
--   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work.
+-   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work.
 -   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
--   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.
+-   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
 
 ## Configuring hardware-based encryption with Group Policy
 
-There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
+There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
 
 - [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd)  
 - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
@@ -93,14 +94,14 @@ There are three related Group Policy settings that help you manage how BitLocker
 
 Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).
 
-The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It is stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
+The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
 
 The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.
 
 When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data
 Encryption Key, read-write operations can take place on the device.
 
-When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
+When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
 
 ## Re-configuring Encrypted Hard Drives
 

windows/security/threat-protection/security-policy-settings/minimum-password-length.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 03/30/2022
 ms.technology: windows-sec
 ---
 
@@ -36,7 +36,7 @@ The **Minimum password length** policy setting determines the least number of ch
 
 ### Best practices
 
-Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
+Set Minimum password length to at least a value of 14. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
 
 Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls.
 

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md

@@ -85,8 +85,8 @@ In addition to the steps outlined above, the binary policy file must also be cop
 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
 
     ```powershell
-   $MountPoint = 'C:\EFI'
-   $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
+   $MountPoint = 'C:\EFIMount'
+   $EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot\CiPolicies\Active"
    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
    mountvol $MountPoint $EFIPartition
    mkdir $EFIDestinationFolder

windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md

@@ -59,7 +59,7 @@ The following video provides an overview of Windows Sandbox.
      Set-VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true
      ```
 
-3. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
+3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
 
    If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.