Merge branch 'main' into pm-20241029-start

education/windows/suspcs/reference.md

@@ -1,8 +1,8 @@
 ---
 title: Set up School PCs app technical reference overview
-description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
+description: Describes the purpose of the Set up School PCs app for Windows devices.
 ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@@ -12,12 +12,12 @@ appliesto:
 
 The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
 
-If your school uses Microsoft Entra ID or Office 365, the Set up
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up
 School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.
 
 ## Join devices to Microsoft Entra ID
 
-If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
 
 The app also helps set up PCs for use with or without Internet connectivity.
 

windows/configuration/assigned-access/shell-launcher/quickstart-kiosk.md

@@ -2,7 +2,7 @@
 title: "Quickstart: configure a kiosk experience with Shell Launcher"
 description: Learn how to configure a kiosk experience with Shell Launcher, using the Assigned Access configuration service provider (CSP), Microsoft Intune, PowerShell, or group policy (GPO).
 ms.topic: quickstart
-ms.date: 02/05/2024
+ms.date: 10/29/2024
 ---
 
 # Quickstart: configure a kiosk experience with Shell Launcher

windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Device registration overview
 description: This article provides an overview on how to register devices in Autopatch.
-ms.date: 09/16/2024
+ms.date: 10/30/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: concept-article
@@ -32,7 +32,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo
 To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites. For more information, see [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md).
 
 > [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 
 The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset.
 

windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates overview
 description: This article explains how Windows feature updates are managed
-ms.date: 09/16/2024
+ms.date: 10/30/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -21,6 +21,9 @@ ms.collection:
 
 Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
 
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
 ## Multi-phase feature update
 
 Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs.

windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates overview
 description: This article explains how Windows quality updates are managed
-ms.date: 09/16/2024
+ms.date: 10/30/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: conceptual
@@ -54,7 +54,7 @@ The service level objective for each of these states is calculated as:
 > Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service.
 
 > [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 
 ## Out of Band releases
 
@@ -62,11 +62,11 @@ The service level objective for each of these states is calculated as:
 
 Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
 
-For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the set deferral dates.
+For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the specified deferral dates.
 
 ## Pause and resume a release
 
-The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
+The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
 
 If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.
 

windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md

@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/27/2024
+ms.date: 10/30/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: concept-article
@@ -139,8 +139,8 @@ The following Windows 10/11 editions, build version, and architecture are suppor
 
 Windows Autopatch service supports Windows client devices on the **General Availability Channel**.
 
-> [!NOTE]
+> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 
 ## Configuration Manager co-management requirements
 

windows/security/identity-protection/passwordless-strategy/index.md

@@ -2,7 +2,7 @@
 title: Passwordless strategy overview
 description: Learn about the passwordless strategy and how Windows security features help implementing it.
 ms.topic: concept-article
-ms.date: 01/29/2024
+ms.date: 10/29/2024
 ---
 
 # Passwordless strategy overview

windows/security/identity-protection/passwordless-strategy/journey-step-1.md

@@ -2,7 +2,7 @@
 title: Deploy a passwordless replacement option
 description: Learn about how to deploy a passwordless replacement option, the first step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 01/29/2024
+ms.date: 10/29/2024
 ---
 
 # Deploy a passwordless replacement option

windows/security/identity-protection/passwordless-strategy/journey-step-2.md

@@ -2,7 +2,7 @@
 title: Reduce the user-visible password surface area
 description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 01/29/2024
+ms.date: 10/29/2024
 ---
 
 # Reduce the user-visible password surface area

windows/security/identity-protection/passwordless-strategy/journey-step-3.md

@@ -2,7 +2,7 @@
 title: Transition into a passwordless deployment
 description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey.
 ms.topic: concept-article
-ms.date: 01/29/2024
+ms.date: 10/29/2024
 ---
 
 # Transition into a passwordless deployment

windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md

@@ -2,7 +2,7 @@
 title: Smart Card and Remote Desktop Services
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
 ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card and Remote Desktop Services

windows/security/identity-protection/smart-cards/smart-card-architecture.md

@@ -2,7 +2,7 @@
 title: Smart Card Architecture
 description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
 ms.topic: reference-architecture
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Architecture

windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md

@@ -2,7 +2,7 @@
 title: Certificate propagation service
 description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
 ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Certificate propagation service
@@ -19,7 +19,7 @@ The following figure shows the flow of the certificate propagation service. The
 1. The arrow labeled **2** indicates the certification to the reader
 1. The arrow labeled **3** indicates the access to the certificate store during the client session
 
-![Certificate propagation service.](images/sc-image302.gif)
+   ![Certificate propagation service.](images/sc-image302.gif)
 
 1. A signed-in user inserts a smart card
 1. CertPropSvc is notified that a smart card was inserted

windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md

@@ -2,7 +2,7 @@
 title: Certificate Requirements and Enumeration
 description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Certificate Requirements and Enumeration
@@ -71,7 +71,8 @@ Following are the steps that are performed during a smart card sign-in:
 1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
 1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
 
-    If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
+    If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
+
     If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
 
 1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).

windows/security/identity-protection/smart-cards/smart-card-debugging-information.md

@@ -2,7 +2,7 @@
 title: Smart Card Troubleshooting
 description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 ms.topic: troubleshooting
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Troubleshooting

windows/security/identity-protection/smart-cards/smart-card-events.md

@@ -2,7 +2,7 @@
 title: Smart card events
 description: Learn about smart card deployment and development events.
 ms.topic: troubleshooting
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart card events

windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md

@@ -2,7 +2,7 @@
 title: Smart Card Group Policy and Registry Settings
 description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
 ms.topic: reference
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Group Policy and Registry Settings

windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md

@@ -2,7 +2,7 @@
 title: How Smart Card Sign-in Works in Windows
 description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
 ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # How Smart Card Sign-in Works in Windows

windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md

@@ -2,7 +2,7 @@
 title: Smart Card Removal Policy Service
 description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
 ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Removal Policy Service

windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md

@@ -2,7 +2,7 @@
 title: Smart Cards for Windows Service
 description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
 ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Cards for Windows Service

windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md

@@ -2,7 +2,7 @@
 title: Smart Card Tools and Settings
 description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 ms.topic: get-started
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Tools and Settings

windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md

@@ -2,7 +2,7 @@
 title: Smart Card Technical Reference
 description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
 ---
 
 # Smart Card Technical Reference

windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md

@@ -17,6 +17,8 @@ This policy setting allows you to control how BitLocker-protected operating syst
 
 If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
 
+For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|