Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into recall-optin-9067947

education/windows/change-home-to-edu.md

@@ -21,12 +21,11 @@ Customers with qualifying subscriptions can upgrade student-owned and institutio
 > [!NOTE]
 > To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
 
-IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The following table provides the recommended method depending on the scenario.
+IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). The following table provides the recommended method depending on the scenario.
 
 | Method | Product key source | Device ownership | Best for |
 |-|-|-|-|
 | MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM |
-| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent, or guardian |
 | Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot |
 
 These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
@@ -44,7 +43,7 @@ Some school institutions want to streamline student onboarding for student-owned
 - [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications.
 - [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization.
 
-A full list of CSPs are available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows).
+A full list of CSPs is available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows).
 
 ## Requirements for using a MAK to upgrade from Windows Home to Windows Education
 
@@ -80,13 +79,6 @@ For a full list of methods to perform a Windows edition upgrade and more details
 
 After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system.
 
-The following table highlights the differences by upgrade product key type:
-
-| Product Key Type | Downgrade (in-place) | Reset | Student reinstall |
-|-|-|-|-|
-| VLSC | No | Yes | No |
-| Kivuto OnTheHub | No | Yes | Yes |
-
 ### Downgrade
 
 It isn't possible to downgrade to *Windows Home* from *Windows Education* without reinstalling Windows.
@@ -99,8 +91,6 @@ If the computer is reset, Windows Education is retained.
 
 The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) is used to activate Windows.
 
-If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key before graduation.
-
 For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886).
 
 ### Resale

windows/deployment/TOC.yml

@@ -13,6 +13,8 @@
           href: update/release-cycle.md
         - name: Basics of Windows updates, channels, and tools
           href: update/get-started-updates-channels-tools.md
+        - name: Defining Windows update-managed devices
+          href: update/update-managed-unmanaged-devices.md
         - name: Prepare servicing strategy for Windows client updates
           href: update/waas-servicing-strategy-windows-10-updates.md
         - name: Deployment proof of concept
@@ -113,7 +115,7 @@
             - name: Deploy updates with Group Policy
               href: update/waas-wufb-group-policy.md
             - name: Deploy updates using CSPs and MDM
-              href: update/waas-wufb-csp-mdm.md              
+              href: update/waas-wufb-csp-mdm.md
             - name: Update Windows client media with Dynamic Update
               href: update/media-dynamic-update.md
             - name: Migrating and acquiring optional Windows content
@@ -377,7 +379,7 @@
         - name: Delivery Optimization reference
           href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
         - name: FoD and language packs for WSUS and Configuration Manager
-          href: update/fod-and-lang-packs.md         
+          href: update/fod-and-lang-packs.md
         - name: Windows client in S mode
           href: s-mode.md
         - name: Switch to Windows client Pro or Enterprise from S mode

windows/deployment/update/update-managed-unmanaged-devices.md

@@ -0,0 +1,71 @@
+---
+title: Defining Windows update-managed devices
+description: This article provides clarity on the terminology and practices involved in managing Windows updates for both managed and unmanaged devices.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: overview
+ms.date: 06/25/2024
+author: mikolding
+ms.author: v-mikolding
+ms.reviewer: mstewart,thtrombl,v-fvalentyna,arcarley
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto:
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+---
+
+# Defining Windows update-managed devices
+
+As an IT administrator, understanding the differences between managed and unmanaged devices is crucial for effective Windows update management. This article provides clarity on the terminology and practices involved in managing Windows updates for both types of devices.
+
+## What are update-managed Windows devices?
+
+Update-managed devices are those where an IT administrator or organization controls Windows updates through a management tool, such as Microsoft Intune, or by directly setting policies. You can directly set policies with group policy objects (GPO), configuration service provider (CSP) policies, or Microsoft Graph.
+
+> [!NOTE]
+> This definition is true even if you directly set registry keys. However, we don't recommended doing this action because registry keys can be easily overwritten.
+
+Managed devices can include desktops, laptops, tablets, servers, and manufacturing equipment. These devices are secured and configured according to your organization's standards and policies.
+
+### IT-managed: Windows update offering
+
+Devices are considered Windows update-managed if you manage the update offering in the following ways:
+
+- You configure policies to manage which updates are offered to the specific device.
+- You set when your organization should receive feature, quality, and driver updates, among others.
+- You use [group policy objects (GPO)](/windows/deployment/update/waas-wufb-group-policy), [configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice), or [Microsoft Graph](/windows/deployment/update/deployment-service-overview) to configure these offerings.
+
+### IT-managed: Windows update experience
+
+Devices are considered Windows update-managed if you use policies (GPO, CSP, or Microsoft Graph) to manage device behavior when taking Windows updates.
+
+Examples of controllable device behavior include active hours, update grace periods and deadlines, update notifications, update scheduling, and more. Consult the complete list at [Update Policy CSP](/windows/client-management/mdm/policy-csp-update).
+
+## Examples of update-managed Windows devices
+
+Here are a few examples of update-managed devices:
+
+- **Company-owned devices:** Devices provisioned by your IT department with corporate credentials, configurations, and policies.
+- **Employee-owned devices in BYOD programs:** Personally owned devices that are enrolled in the company's device management system to securely access corporate resources.
+- **Devices provisioned through Windows Autopilot:** Devices that are set up and preconfigured to be business-ready right out of the box.
+- **Mandated security settings:** Devices with health requirements such as device encryption, PIN or strong password, specific inactivity timeout periods, and up-to-date operating systems.
+- **Intune-enrolled devices:** Devices enrolled in Microsoft Intune for network access and enforced security policies.
+- **Third-party managed devices:** Devices enrolled in non-Microsoft management tools with configured Windows update policies via GPO, CSP, or registry key.
+
+## What are update-unmanaged Windows devices?
+
+Unlike update-managed devices, unmanaged devices aren't controlled through policies, management tools, or software. These devices aren't enrolled in tools like Microsoft Intune or Configuration Manager. If you only configure the Settings page to control overall device behavior when taking updates, it's considered an unmanaged device.
+
+> [!NOTE]
+> The term "Microsoft managed devices" used to refer to what we now call "update unmanaged Windows devices." Based on feedback, we have updated our terminology for clarity.
+
+## Examples of update-unmanaged Windows devices
+
+Examples of update-unmanaged devices include:
+
+- **Personal devices:** Devices owned by individuals at your organization that aren't enrolled in any corporate management system.
+- **BYOD devices not enrolled in management programs:** Devices used for work but not part of an organizational bring your own device (BYOD) program.
+- **Peripheral devices:** Devices like printers, IP phones, and uninterruptible power supplies (UPS) that can't accept centrally managed administrative credentials.
+
+For more information on managed and unmanaged devices, see [Secure managed and unmanaged devices](/microsoft-365/business-premium/m365bp-managed-unmanaged-devices).

windows/deployment/update/update-other-microsoft-products.md

@@ -53,6 +53,7 @@ The following is a list of other Microsoft products that might be updated:
 - Microsoft StreamInsight
 - Mobile and IoT
 - MSRC
+- .NET (also known as .NET Core)
 - Office 2016 (MSI versions of Office)
 - PlayReady
 - Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware

windows/security/identity-protection/hello-for-business/faq.yml

@@ -44,7 +44,7 @@ sections:
           The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.
       - question: Where is Windows Hello biometrics data stored?
         answer: |
-            When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+            When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored) and [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication).
       - question: What is the format used to store Windows Hello biometrics data on the device?
         answer: |
           Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it's stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash.

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -85,10 +85,11 @@ BitLocker has the following requirements:
 
 ## Device encryption
 
-*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
+*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
 
 > [!IMPORTANT]
-> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
+> Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed. As a result, more devices are eligible for automatic and manual device encryption.
+> For more information, see [BitLocker drive encryption in Windows 11 for OEMs](/windows-hardware/design/device-experiences/oem-bitlocker).
 
 Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
 

windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md

@@ -99,6 +99,14 @@ There are rules governing which hint is shown during the recovery (in the order
   :::image type="content" source="images/preboot-recovery-custom-url-single-backup.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL and the hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-custom-url-single-backup.png" border="false":::
   :::column-end:::
 :::row-end:::
+:::row:::
+  :::column span="2":::
+    Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
+  :::column-end:::
+  :::column span="2":::
+  :::image type="content" source="images/bitlocker-recovery-screen-msa-backup-24h2.png" alt-text="Screenshot of the BitLocker recovery screen showing a Microsoft account hint where the BitLocker recovery key was saved." lightbox="images/bitlocker-recovery-screen-msa-backup-24h2.png" border="false":::
+  :::column-end:::
+:::row-end:::
 :::row:::
   :::column span="4":::
     #### Example: single recovery password in AD DS and single backup