Merge branch 'main' into jgeurten-add-wdac-wizard-instructions

windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md

@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 01/30/2023
+ms.date: 02/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -814,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md)
 - [SetEDURestart](policy-csp-update.md)
 - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md)
+- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md)
 - [SetDisableUXWUAccess](policy-csp-update.md)
 - [SetDisablePauseUXAccess](policy-csp-update.md)
 - [UpdateNotificationLevel](policy-csp-update.md)

windows/client-management/mdm/policy-csp-update.md

@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 01/18/2023
+ms.date: 02/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,6 +16,9 @@ ms.topic: reference
 <!-- Update-Begin -->
 # Policy CSP - Update
 
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
 <!-- Update-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Update-Editable-End -->
@@ -23,6 +26,7 @@ ms.topic: reference
 Update CSP policies are listed below based on the group policy area:
 
 - [Windows Insider Preview](#windows-insider-preview)
+  - [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol)
   - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
   - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
 - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@@ -103,6 +107,75 @@ Update CSP policies are listed below based on the group policy area:
 
 ## Windows Insider Preview
 
+<!-- AllowTemporaryEnterpriseFeatureControl-Begin -->
+### AllowTemporaryEnterpriseFeatureControl
+
+<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl
+```
+<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-Description-Begin -->
+<!-- Description-Source-ADMX -->
+Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*.
+
+- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on.
+
+- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed.
+
+*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS).
+<!-- AllowTemporaryEnterpriseFeatureControl-Description-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowTemporaryEnterpriseFeatureControl-Editable-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. |
+| 1 | Allowed. |
+<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowTemporaryEnterpriseFeatureControl |
+| Friendly Name | Enable features introduced via servicing that are off by default |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| Registry Value Name | AllowTemporaryEnterpriseFeatureControl |
+| ADMX File Name | WindowsUpdate.admx |
+<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowTemporaryEnterpriseFeatureControl-Examples-End -->
+
+<!-- AllowTemporaryEnterpriseFeatureControl-End -->
+
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
 ### ConfigureDeadlineNoAutoRebootForFeatureUpdates
 
@@ -2589,7 +2662,7 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
 
 <!-- ScheduledInstallDay-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the IT admin to schedule the day of the update installation. The data type is a integer.
+Enables the IT admin to schedule the day of the update installation. The data type is an integer.
 <!-- ScheduledInstallDay-Description-End -->
 
 <!-- ScheduledInstallDay-Editable-Begin -->
@@ -2660,7 +2733,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty
 
 <!-- ScheduledInstallEveryWeek-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the IT admin to schedule the update installation on the every week. Value type is integer.
+Enables the IT admin to schedule the update installation every week. Value type is integer.
 <!-- ScheduledInstallEveryWeek-Description-End -->
 
 <!-- ScheduledInstallEveryWeek-Editable-Begin -->
@@ -2985,7 +3058,7 @@ Enables the IT admin to schedule the update installation on the third week of th
 
 <!-- ScheduledInstallTime-Description-Begin -->
 <!-- Description-Source-DDF -->
- the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+ the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
 <!-- ScheduledInstallTime-Description-End -->
 
 <!-- ScheduledInstallTime-Editable-Begin -->
@@ -3044,7 +3117,7 @@ Enables the IT admin to schedule the update installation on the third week of th
 
 <!-- SetDisablePauseUXAccess-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting allows to remove access to "Pause updates" feature.
+This setting allows removing access to "Pause updates" feature.
 
 Once enabled user access to pause updates is removed.
 <!-- SetDisablePauseUXAccess-Description-End -->

windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md

@@ -17,8 +17,6 @@ msreviewer: hathind
 > [!IMPORTANT]
 > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues.
 
-You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
-
 ## Submit a new support request
 
 Support requests are triaged and responded to as they're received.

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/02/2023
+ms.date: 02/07/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -73,6 +73,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 
 ## Pausing and resuming a release
 
+> [!CAUTION]
+> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+
 > [!IMPORTANT]
 > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
@@ -88,18 +91,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 8. If you're resuming an update, you can select one or more deployment rings.
 9. Select **Okay**.
 
-If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update.
+If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update.
 
 > [!NOTE]
-> The **Service Paused** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
+> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
 
 ## Rollback
 
-Windows Autopatch doesn’t support the rollback of Windows Feature updates.
+Windows Autopatch doesn’t support the rollback of Windows feature updates.
 
 > [!CAUTION]
-> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update.
+> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
 
 ## Contact support
 
-If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
+If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md).

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates
 description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 12/15/2022
+ms.date: 02/07/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
-msreviewer: hathind
+msreviewer: andredm7
 ---
 
 # Windows quality updates
@@ -89,7 +89,7 @@ By default, the service expedites quality updates as needed. For those organizat
 **To turn off service-driven expedited quality updates:**
 
 1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
-2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
+2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
 
 > [!NOTE]
 > Windows Autopatch doesn't allow customers to request expedited releases.
@@ -108,6 +108,11 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
 
 ### Pausing and resuming a release
 
+> [!CAUTION]
+> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+
+The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
+
 If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
 
 > [!IMPORTANT]
@@ -125,12 +130,13 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 8. If you're resuming an update, you can select one or more deployment rings.
 9. Select **Okay**.
 
-There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
+The three following statuses are associated with paused quality updates:
 
 | Status | Description |
 | ----- | ------ |
-| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
-| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
+| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. |
+| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. |
+| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. |
 
 ## Remediating Ineligible and/or Not up to Date devices
 

windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md

@@ -14,7 +14,7 @@ msreviewer: hathind
 
 # Submit a tenant enrollment support request
 
-If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
+If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool.
 
 > [!NOTE]
 > After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md).

windows/security/identity-protection/remote-credential-guard.md

@@ -128,7 +128,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on
     
     - Add a new DWORD value named **DisableRestrictedAdmin**.
     
-    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
+    - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
     
 3. Close Registry Editor.
 
@@ -189,4 +189,4 @@ mstsc.exe /remoteGuard
 
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
 
-- The server and client must authenticate using Kerberos.
+- The server and client must authenticate using Kerberos.