Freshness review

2025-05-12 13:27:23 +00:00 · 2024-04-23 07:11:43 -04:00 · 2024-04-23 07:11:43 -04:00 · c6a70279c1
commit c6a70279c1
parent 0f8177a842
18 changed files with 332 additions and 638 deletions
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@ -229,6 +229,11 @@
      "source_path": "education/windows/windows-editions-for-education-customers.md",
      "redirect_url": "/education/windows",
      "redirect_document_id": false
    },
    {
      "source_path": "education/windows/configure-windows-for-education.md",
      "redirect_url": "/education/windows",
      "redirect_document_id": false
    }
  ]
 }
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@ -1,159 +0,0 @@
 ---
 title: Windows 10 configuration recommendations for education customers
 description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows 10 configuration recommendations for education customers
 Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
 We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
 In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
 | Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
 | **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
 | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
 | **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready </br></br> * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
 ## Recommended configuration
 It's easy to be education ready when using Microsoft products. We recommend the following configuration:
 1. Use an Office 365 Education tenant. 
    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
 2. Activate Intune for Education in your tenant.
    You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
 3. On PCs running Windows 10, version 1703:
   1. Provision the PC using one of these methods:
      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
      * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
   2. Join the PC to Microsoft Entra ID.
      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
      * Manually Microsoft Entra join the PC during the Windows device setup experience.
   3. Enroll the PCs in MDM.
      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
   4. Ensure that needed assistive technology apps can be used.
      * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 4. Distribute the PCs to students.
    Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
 5. Ongoing management through Intune for Education.
    You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
 ## Configuring Windows
 You can configure Windows through provisioning or management tools including industry standard MDM.
 - Provisioning - A one-time setup process.
 - Management - A one-time and/or ongoing management of a PC by setting policies.
 You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
 - [Set up School PCs](use-set-up-school-pcs-app.md)
 - [Intune for Education](/intune-education/available-settings)
 ## AllowCortana
 **AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
 > [!NOTE]
 > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
 Use one of these methods to set this policy.
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
      For example, in Intune, create a new configuration policy and add an OMA-URI. 
    - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
    - Data type:  Integer
    - Value:  0
 ### Group Policy
 Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
    - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
 ## SetEduPolicies
 **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
 Use one of these methods to set this policy. 
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
      For example, in Intune, create a new configuration policy and add an OMA-URI.
    - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
    - Data type:  Boolean
    - Value:  true
      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
 ### Group Policy
 **SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
 For example:
 - Open PowerShell as an administrator and enter the following:
    ```
    $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
    $sharedPC.SetEduPolicies = $True
    Set-CimInstance -CimInstance $sharedPC
    Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
    ```
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
    - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png)
 ## Ad-free search with Bing
 Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
 ### Configurations
 <a name='azure-ad-and-office-365-education-tenant'></a>
 #### Microsoft Entra ID and Office 365 Education tenant
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
 2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
 > [!NOTE]
 > If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
 #### Office 365 sign-in to Bing
 To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
 1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 2. Have students sign into Bing with their Office 365 account.
 ## Related topics
 [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
--- a/education/windows/images/setedupolicies_omauri.png
+++ b/education/windows/images/setedupolicies_omauri.png
--- a/education/windows/images/wcd/setedupolicies.png
+++ b/education/windows/images/wcd/setedupolicies.png
--- a/education/windows/images/wcd/wcd_settings_assignedaccess.png
+++ b/education/windows/images/wcd/wcd_settings_assignedaccess.png
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@ -2,7 +2,7 @@
 title: Configure Windows Hello for Business
 description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
 ms.topic: how-to
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 # Configure Windows Hello for Business
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@ -1,7 +1,7 @@
 ---
 title: Dynamic lock
 description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 02/29/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@ -1,7 +1,7 @@
 ---
 title: Configure single sign-on (SSO) for Microsoft Entra joined devices
 description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
-ms.date: 12/30/2022
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
@ -9,7 +9,7 @@ ms.topic: how-to
 [!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
-Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. As organizations transition resources to the cloud, some resources might remain on-premises, and Microsoft Entra joined devices might need to access them. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 > [!NOTE]
 > These steps are not needed when using the cloud Kerberos trust model.
@ -25,12 +25,12 @@ Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don
 ### CRL Distribution Point (CDP)
-Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
+Certificates issued by a certificate authority can be revoked. When a certificate authority revokes a certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
 During certificate validation, Windows compares the current certificate with information in the CRL to determine if the certificate is valid.
-![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
+:::image type="content" source="images/aadj/Certificate-CDP.png" alt-text="Screenshot of a certificate's CDP property.":::
-The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
+In the screenshot, the CDP property of the domain controller certificate shows an LDAP path. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
 To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
@ -45,17 +45,18 @@ Certificate authorities write CDP information in certificates as they're issued.
 #### Why does Windows need to validate the domain controller certificate?
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the *strict KDC validation* security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 - The domain controller has the private key for the certificate provided
 - The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
 - Use the *Kerberos Authentication certificate template* instead of any other older template
 - The domain controller's certificate has the *KDC Authentication* extended key usage (EKU)
 - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain
- The domain controller's certificate's signature hash algorithm is **sha256**
+- The domain controller's certificate's signature hash algorithm is *sha256*
- The domain controller's certificate's public key is **RSA (2048 Bits)**
+- The domain controller's certificate's public key is *RSA (2048 Bits)*
-Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
+> [!IMPORTANT]
 > Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
 ## Configure a CRL distribution point for an issuing CA
@ -118,7 +119,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. In the **Advanced Sharing** dialog box, select **OK**
 > [!Tip]
-> Make sure that users can access **\\\Server FQDN\sharename**.
+> Make sure that users can access `\\Server FQDN\sharename`.
 ### Disable Caching
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
--- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business authentication works
 description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 ---
 # Windows Hello for Business authentication
@ -19,7 +19,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
 |B | The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
@ -58,7 +58,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 > [!NOTE]
-> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
+> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
 ## Microsoft Entra hybrid join authentication using cloud Kerberos trust
--- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business provisioning works
 description: Learn about the provisioning flows for Windows Hello for Business.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 appliesto:
 ---
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
-ms.date: 01/09/2024
+ms.date: 04/23/2024
 ms.topic: concept-article
 ---
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business overview
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.topic: overview
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 # Windows Hello for Business
--- a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
@ -1,7 +1,7 @@
 ---
 title: Multi-factor unlock
 description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/hello-for-business/pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/pin-reset.md
@ -1,7 +1,7 @@
 ---
 title: PIN reset
 description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business policy settings
 description: Learn about the policy settings to configure Configure Windows Hello for Business.
 ms.topic: reference
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 # Windows Hello for Business policy settings
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Remote Desktop sign-in with Windows Hello for Business
 description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 12/11/2023
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@ -1,7 +1,7 @@
 ---
 title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 07/27/2023
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
 # WebAuthn APIs for passwordless authentication on Windows
@ -20,7 +20,7 @@ Users of these apps or sites can use any browser that supports WebAuthn APIs for
 Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead.
-> [!NOTE]  
+> [!NOTE]
 > When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging.
 ## The big picture
@ -29,7 +29,7 @@ The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstractio
 The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally.
-After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.  
+After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.
 The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs.
@ -39,15 +39,15 @@ The following diagram shows how CTAP and WebAuthn interact. The light blue dotte
 A combined WebAuthn/CTAP2 dance includes the following cast of characters:
- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.  
+- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.
- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.  
+- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.
  - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls.
-  
+
-  - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.  
+  - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.
-  
+
-  > [!NOTE]  
+  > [!NOTE]
  > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
 - **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
@ -82,7 +82,7 @@ The following options might be useful in the future, but haven't been observed i
 The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet.
-Here's an approximate layout of where the Microsoft bits go:  
+Here's an approximate layout of where the Microsoft bits go:
 :::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API.":::
@ -94,12 +94,12 @@ Here's an approximate layout of where the Microsoft bits go:
  - Offline scenarios work (enabled by using HMAC)
  - Users can put keys for multiple user accounts on the same authenticator
  - If it's necessary, authenticators can use a client PIN to unlock a TPM
-  > [!IMPORTANT]  
+  > [!IMPORTANT]
  > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials.
 - **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
-  > [!NOTE]  
+  > [!NOTE]
  > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
 - **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.