Merge branch 'main' into repo_sync_working_branch

windows/application-management/manage-windows-mixed-reality.md

@@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
    1. Download the FOD .cab file:
 
         - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
-        - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
+        - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
         - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
         - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
         - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)

windows/client-management/mdm/config-lock.md

@@ -1,93 +1,90 @@
 ---
-title: Secured-Core Configuration Lock
-description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. 
+title: Secured-core configuration lock
+description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
 manager: dansimp
-keywords: mdm,management,administrator,config lock
 ms.author: v-lsaldanha
 ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: lovina-saldanha
-ms.date: 03/14/2022
+ms.date: 05/24/2022
 ---
 
-# Secured-Core PC Configuration Lock 
+# Secured-core PC configuration lock
 
 **Applies to**
 
--   Windows 11
+- Windows 11
 
-In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
 
-Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
 
-To summarize, Config Lock:
+To summarize, config lock:
 
-- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Enables IT to "lock" secured-core PC features when managed through MDM
 - Detects drift remediates within seconds
-- DOES NOT prevent malicious attacks
+- Doesn't prevent malicious attacks
 
 ## Configuration Flow
 
-After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
 
 ## System Requirements
 
-Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).  
+Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
 
-## Enabling Config Lock using Microsoft Intune
+## Enabling config lock using Microsoft Intune
 
-Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
- 
-The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
 
-1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+
+1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
 1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
 1. Select the following and press **Create**:
     - **Platform**: Windows 10 and later
     - **Profile type**: Templates
     - **Template name**: Custom
 
-    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
+    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
 
 1. Name your profile.
-1. When you reach the Configuration Settings step, select “Add” and add the following information:
+1. When you reach the Configuration Settings step, select "Add" and add the following information:
     - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
     - **Data type**: Integer
     - **Value**: 1 </br>
-    To turn off Config Lock, change the value to 0.
+    To turn off config lock, change the value to 0.
 
-    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
+    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
 
-1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
 1. You'll not need to set any applicability rules for test purposes.
-1. Review the Configuration and select “Create” if everything is correct.
-1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+1. Review the Configuration and select "Create" if everything is correct.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
 
-    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
+    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.":::
 
-    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
+    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.":::
 
-## Configuring Secured-Core PC features
+## Configuring secured-core PC features
 
-Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
+
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
 
-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
- 
 ## FAQ
 
-**Can an IT admins disable Config Lock ?** </br>
-	Yes. IT admins can use MDM to turn off Config Lock completely or put it in temporary unlock mode for helpdesk activities.</br>
+- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
 
 ### List of locked policies
 
 |**CSPs**     |
 |-----|
-|[BitLocker ](bitlocker-csp.md)      |
+|[BitLocker](bitlocker-csp.md)      |
 |[PassportForWork](passportforwork-csp.md)       |
 |[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md)       |
-|[ApplicationControl](applicationcontrol-csp.md) 
-
+|[ApplicationControl](applicationcontrol-csp.md)
 
 |**MDM policies**     | **Supported by Group Policy** |
 |-----|-----|

windows/client-management/quick-assist.md

@@ -1,30 +1,31 @@
 ---
 title: Use Quick Assist to help users
-description: How IT Pros can use Quick Assist to help users
+description: How IT Pros can use Quick Assist to help users.
 ms.prod: w10
-ms.sitesec: library
-ms.topic: article
-author: aczechowski
+ms.technology: windows
+ms.topic: how-to
 ms.localizationpriority: medium
+author: aczechowski
 ms.author: aaroncz
 manager: dougeby
+ms.reviewer: pmadrigal
 ms.collection: highpri
 ---
 
 # Use Quick Assist to help users
 
-Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
 
 ## Before you begin
 
-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
 
 > [!NOTE]
 > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
 
 ### Authentication
 
-The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.
+The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
 
 ### Network considerations
 
@@ -32,18 +33,21 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
 
 Both the helper and sharer must be able to reach these endpoints over port 443:
 
-| Domain/Name                       | Description                                           |
-|-----------------------------------|-------------------------------------------------------|
-| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application    |
-| \*.resources.lync.com             | Required for the Skype framework used by Quick Assist |
-| \*.infra.lync.com                 | Required for the Skype framework used by Quick Assist |
-| \*.latest-swx.cdn.skype.com        | Required for the Skype framework used by Quick Assist |
-| \*.login.microsoftonline.com       | Required for logging in to the application (MSA)      |
-| \*.channelwebsdks.azureedge.net    | Used for chat services within Quick Assist        |
-| \*.aria.microsoft.com             | Used for accessibility features within the app    |
-| \*.api.support.microsoft.com       | API access for Quick Assist                           |
-| \*.vortex.data.microsoft.com      | Used for diagnostic data                                |
-| \*.channelservices.microsoft.com  | Required for chat services within Quick Assist        |
+| Domain/Name | Description |
+|--|--|
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
+| `*.login.microsoftonline.com` | Required for logging in to the application (MSA) |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
+| `*.api.support.microsoft.com` | API access for Quick Assist |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
+| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
+| `*.skype.com` | Skype requests may vary based on geography. If connection issues persist, test this endpoint. |
+| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.turn.azure.com` | Protocol used to help endpoint. |
+| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
 
 ## How it works
 
@@ -73,9 +77,9 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
 
 - Features used inside the app such as view only, annotation, and session pause
 
-No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session.
+No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
 
-The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days.
+The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
 
 In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
 
@@ -83,8 +87,7 @@ In some scenarios, the helper does require the sharer to respond to application
 
 Either the support staff or a user can start a Quick Assist session.
 
-
-1. Support staff (“helper”) starts Quick Assist in any of a few ways:
+1. Support staff ("helper") starts Quick Assist in any of a few ways:
 
     - Type *Quick Assist* in the search box and press ENTER.
     - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
@@ -94,15 +97,15 @@ Either the support staff or a user can start a Quick Assist session.
 
 3. Helper shares the security code with the user over the phone or with a messaging system.
 
-4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
+4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
 
-5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**.
+5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**.
 
 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
 
 ## If Quick Assist is missing
 
-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it.
+If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it.
 
 ### Uninstall Quick Assist
 
@@ -122,4 +125,4 @@ If for some reason a user doesn't have Quick Assist on their system or it's not
 
 ## Next steps
 
-If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab).
+If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).

windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md

@@ -38,7 +38,7 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy
    manage-bde -protectors -get <Drive>
    ```
    
-   ``` example cmd
+   ```cmd
    manage-bde -protectors -get C:
    ```