Merge branch 'main' into patch-3

windows/client-management/manage-windows-copilot.md

@@ -3,7 +3,7 @@ title: Updated Windows and Microsoft Copilot experience
 description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
 ms.topic: overview
 ms.subservice: windows-copilot
-ms.date: 09/16/2024
+ms.date: 09/18/2024
 ms.author: mstewart
 author: mestew
 ms.collection:
@@ -58,7 +58,7 @@ For users signing in to new PCs with work or school accounts, the following expe
 
 The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
 
-The shift to the Microsoft 365 app as the entry point for Microsoft Copilot will align with the annual Windows 11 feature update release. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
+The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
 
 > [!IMPORTANT]
 > Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.

windows/deployment/windows-autopatch/TOC.yml

@@ -118,13 +118,8 @@
                   href: monitor/windows-autopatch-reliability-report.md
             - name: Windows feature and quality update device alerts
               href: monitor/windows-autopatch-device-alerts.md
-        - name: Policy health
-          href:
-          items:
         - name: Policy health and remediation
           href: monitor/windows-autopatch-policy-health-and-remediation.md
-            - name: Resolve policy conflicts
-              href: monitor/windows-autopatch-resolve-policy-conflicts.md
         - name: Maintain the Windows Autopatch environment
           href: monitor/windows-autopatch-maintain-environment.md
     - name: References

windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md

@@ -63,7 +63,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
 | [Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
 | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
-| Policy health |<ul><li>[Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md)</li><ul><li>When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service.</li></ul></ul><ul><li>[Resolve policy conflicts](../monitor/windows-autopatch-resolve-policy-conflicts.md)</li><ul><li>o	When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. With the Resolve policy conflicts feature, you can review the policies and their settings and manually resolve these conflicts.</li></ul><ul> |
+| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
 | Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
 | [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
 

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md

@@ -36,7 +36,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Article | Description |
 | ----- | ----- |
 | [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature |
-| [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added the [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature |
 
 ## February 2024
 

windows/privacy/configure-windows-diagnostic-data-in-your-organization.md

@@ -137,11 +137,11 @@ This approach is the most complex because it requires the following configuratio
 
 ### Data access
 
-The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. 
+The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://www.microsoft.com/privacy/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. 
 
 ### Retention
 
-Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
+Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement).
 
 ## Diagnostic data settings
 
@@ -316,7 +316,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
 - The device must be joined to Azure Active Directory (can be a hybrid Azure AD join).
 
 > [!NOTE]
-> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
 
 For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. For release information, see [Windows 10 Enterprise and Education](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11 Enterprise and Education](/lifecycle/products/windows-11-enterprise-and-education) on the Microsoft Lifecycle Policy site.
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -1616,7 +1616,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
 ### <a href="" id="bkmk-wifisense"></a>23. Wi-Fi Sense
 
 > [!IMPORTANT]
-> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
+> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://support.microsoft.com/windows/bcec4e8b-00e7-4930-d3ff-5349a3e70037) for more details.
 
 Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
 

windows/privacy/windows-privacy-compliance-guide.md

@@ -44,11 +44,11 @@ The following table provides an overview of the Windows 10 and Windows 11 privac
 
 | Feature/Setting | Description | Supporting content | Privacy statement |
 | --- | --- | --- | --- |
-| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
-| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
-| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
+| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
-| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
+| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) |
-| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) |
 | Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
 
 
@@ -201,7 +201,7 @@ If a user signs in to a Windows experience or app on their device with their Mic
 
 Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders.
 
-Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
+The [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
 
 ## 5. Related Windows product considerations
 
@@ -243,7 +243,7 @@ Microsoft Intune is a cloud-based endpoint management solution. It manages user
 * [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
 * [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
 * [Windows IT Pro Docs](/windows/#pivot=it-pro)
-* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+* [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement)
 * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
+* [Privacy at Microsoft](https://www.microsoft.com/privacy)
 * [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
 
 ### Use registry keys to enable memory integrity
 
-Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
 
 > [!IMPORTANT]
 >
@@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-**To enable VBS with Secure Boot and DMA (value 3)**
+**To enable VBS with Secure Boot and DMA protection (value 3)**
 
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@@ -131,6 +131,17 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 ```
 
+**To enable VBS (and memory integrity) in mandatory mode**
+
+```console
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+```
+
+The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
+
+> [!IMPORTANT]
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
+
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console
 reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f

windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md

@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # PDE settings and configuration
@@ -36,6 +36,21 @@ The following table lists the recommended settings to improve PDE's security.
 
 ## Configure PDE with Microsoft Intune
 
+If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+
+### Disk encryption policy
+
+To configure devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Enable Personal Data Encryption** and configure the settings as needed.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
+### Settings catalog policy
+
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
@@ -80,6 +95,17 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 
 Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
 
+### Disable PDE with a disk encryption policy
+
+To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Disable Personal Data Encryption**.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
 ### Disable PDE with a settings catalog policy in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]

windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml

@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 05/06/2024
+  ms.date: 09/24/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |

windows/security/operating-system-security/data-protection/personal-data-encryption/index.md

@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # Personal Data Encryption (PDE)