Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/azure-resource-manager/templates/template-specs-create-linked.md

@@ -23,7 +23,7 @@ Create the main template and the linked template.
 
 To link a template, add a [deployments resource](/azure/templates/microsoft.resources/deployments) to your main template. In the `templateLink` property, specify the relative path of the linked template in accordance with the path of the parent template.
 
-The linked template is called **linkedTemplate.json**, and is stored in a subfolder called **artifacts** in the path where the main template is stored.  You can use one of the follow values for the relativePath:
+The linked template is called **linkedTemplate.json**, and is stored in a subfolder called **artifacts** in the path where the main template is stored.  You can use one of the following values for the relativePath:
 
 - `./artifacts/linkedTemplate.json`
 - `/artifacts/linkedTemplate.json`

articles/iot-hub-device-update/device-update-agent-provisioning.md

@@ -76,8 +76,25 @@ Follow these instructions to provision the Device Update agent on [IoT Edge enab
 
 1. Follow the instructions to [Install and provision the Azure IoT Edge runtime](https://docs.microsoft.com/azure/iot-edge/how-to-install-iot-edge?view=iotedge-2020-11&preserve-view=true).
 
-1. Then install the Device Update agent from [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) and you are now ready to start the Device Update agent on your IoT Edge device.
-
+1. Install the Device Update image update agent
+    - We provide sample images in [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) to try image update rollouts to different versions using a base image (adu-base-image) and one update image (adu-update-image). See example of [how to flash the image to your IoT Hub device](https://docs.microsoft.com/azure/iot-hub-device-update/device-update-raspberry-pi#flash-sd-card-with-image).  
+
+1. Install the Device Update package update agent  
+    - For latest agent versions from packages.miscrosoft.com: Update package lists on your device and install the Device Update agent package and its dependencies using:	
+	```shell
+	sudo apt-get update
+	```
+	
+	```shell
+	sudo apt-get install deviceupdate-agent deliveryoptimization-plugin-apt
+	```
+	
+    - For upcoming release candidate versions from [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) : Download the .dep file to the machine you want to install the Device Update agent on, then:
+	 ```shell
+	Sudo apt-get install -y ./"<PATH TO FILE>"/"<.DEP FILE NAME>"
+	 ```
+	
+1. You are now ready to start the Device Update agent on your IoT Edge device. 
 
 ### On non-Edge IoT Linux devices
 
@@ -125,14 +142,15 @@ Follow these instructions to provision the Device Update agent on your IoT Linux
     sudo aziotctl config apply
     ```
 
-1.	Finally install the Device Update agent from [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) and you are now ready to start the Device Update agent on your IoT Edge device.
+1.	Finally install the Device Update agent. We provide sample images in [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) to try image update rollouts to different versions using a base image (adu-base-image) and one update image (adu-update-image). See example of [how to flash the image to your IoT Hub device](https://docs.microsoft.com/azure/iot-hub-device-update/device-update-raspberry-pi#flash-sd-card-with-image).
 
+1.	You are now ready to start the Device Update agent on your IoT device. 
 
 ### Other IoT devices
 
 The Device Update agent can also be configured without the IoT Identity service for testing or on constrained devices. Follow the below steps to provision the Device Update agent using a connection string (from the Module or Device).
 
-1.	Install Device Update agent from [Artifacts](https://github.com/Azure/iot-hub-device-update/releases).
+1.	We provide sample images in [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) to try image update rollouts to different versions using a base image (adu-base-image) and one update image (adu-update-image). See example of [how to flash the image to your IoT Hub device](https://docs.microsoft.com/azure/iot-hub-device-update/device-update-raspberry-pi#flash-sd-card-with-image).
 
 1.	Log onto the machine or IoT Edge device/IoT device.
 
@@ -145,16 +163,16 @@ The Device Update agent can also be configured without the IoT Identity service
 
     1. You should see a window open with some text in it. Delete the entire string following 'connection_String=' the first-time you provision the Device Update agent on the IoT device. It is just place holder text.
 
-    1. In the terminal, replace <your-connection-string> with the connection string of the device for your instance of Device Update agent.
+    1. In the terminal, replace "<your-connection-string>" with the connection string of the device for your instance of Device Update agent.
 
         > [!Important]
         > Do not add quotes around the connection string.
 
-        - connection_string=<your-connection-string>
+        - connection_string= "<ADD CONNECTION STRING HERE>"
 
     1. Enter and save.
 
-1.	Now you are now ready to start the Device Update agent on your IoT Edge device. 
+1.	Now you are now ready to start the Device Update agent on your IoT device. 
 
 
 ## How to start the Device Update Agent
@@ -187,7 +205,7 @@ You can also build and modify your own customer Device Update agent.
 Follow the instructions to [build](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-build-agent-code.md) the Device Update Agent
 from source.
 
-Once the agent is successfully building, it's time [run](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-run-agent.md)
+Once the agent is successfully building, it's time to [run](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-run-agent.md)
 the agent.
 
 Now, make the changes needed to incorporate the agent into your image.  Look at how to

articles/purview/media/register-scan-amazon-s3/locate-account-id-external-id.png

@@ -112,10 +112,31 @@ This procedure describes how to create a new Purview credential to use when scan
 
     Select **Create** when you're done to finish creating the credential.
 
-For more information about Purview credentials, see the [Azure Purview public preview documentation](manage-credentials.md).
+1. If you haven't yet, copy and paste the **Microsoft account ID** and **External ID** values for use when [creating a new AWS role for Purview](#create-a-new-aws-role-for-purview), which is your next step.
+
+For more information about Purview credentials, see [Credentials for source authentication in Azure Purview](manage-credentials.md).
 
 ### Create a new AWS role for Purview
 
+This procedure requires that you enter the values for your Azure Account ID and External ID when creating your AWS role.
+
+If you don't have these values, locate them first in your [Purview credential](#create-a-purview-credential-for-your-aws-bucket-scan).
+
+**To locate your Microsoft Account ID and External ID**:
+
+1. In Purview, navigate to the **Management Center** > **Security and access** > **Credentials**.
+
+1. Select the credential that you [created for your AWS bucket scan](#create-a-purview-credential-for-your-aws-bucket-scan), and then in the toolbar, select **Edit**.
+
+1. In the **Edit credential** pane that appears on the right, copy the **Microsoft account ID** and **External ID** values to a separate file, or have them handy for pasting into the relevant field in AWS.
+
+    For example:
+
+    [ ![Locate your Microsoft account ID and External ID values.](./media/register-scan-amazon-s3/locate-account-id-external-id.png) ](./media/register-scan-amazon-s3/locate-account-id-external-id.png#lightbox)
+
+
+**To create your AWS role for Purview**:
+
 1.	Open your **Amazon Web Services** console, and under **Security, Identity, and Compliance**, select **IAM**.
 
 1. Select **Roles** and then **Create role**.
@@ -125,13 +146,9 @@ For more information about Purview credentials, see the [Azure Purview public pr
     |Field  |Description  |
     |---------|---------|
     |**Account ID**     |    Enter your Microsoft Account ID. For example: `615019938638`     |
-    |**External ID**     |   Under options, select **Require external ID...**, and then enter your External ID in the designated field. <br>For example: `e7e2b8a3-0a9f-414f-a065-afaf4ac6d994`    <br><br>You can find this external ID when you .  |
+    |**External ID**     |   Under options, select **Require external ID...**, and then enter your External ID in the designated field. <br>For example: `e7e2b8a3-0a9f-414f-a065-afaf4ac6d994`     |
     | | |
 
-    > [!NOTE]
-    > You can find the values for both the **Microsoft Account ID** and **External ID** in the Purview **Management Center** > **Credentials** area, where you [created your Purview credentials](#create-a-purview-credential-for-your-aws-bucket-scan).
-    >
-
     For example:
 
     ![Add the Microsoft Account ID to your AWS account.](./media/register-scan-amazon-s3/aws-create-role-amazon-s3.png)

articles/purview/register-scan-amazon-s3.md

@@ -150,7 +150,6 @@ spec:
       labels:
         app: redis
       annotations:
-        apparmor.security.beta.kubernetes.io/pod: runtime/default
         container.apparmor.security.beta.kubernetes.io/redis: runtime/default
     spec:
       containers:
@@ -251,4 +250,4 @@ For other related material, see the following pages:
 
 - [Security Center recommendations for compute](recommendations-reference.md#recs-compute)
 - [Alerts for AKS cluster level](alerts-reference.md#alerts-akscluster)
-- [Alerts for Container host level](alerts-reference.md#alerts-containerhost)
+- [Alerts for Container host level](alerts-reference.md#alerts-containerhost)

articles/security-center/kubernetes-workload-protections.md

@@ -5,7 +5,7 @@ author: memildin
 manager: rkarlin
 ms.service: security-center
 ms.topic: reference
-ms.date: 04/06/2021
+ms.date: 04/11/2021
 ms.author: memildin
 
 ---
@@ -24,26 +24,22 @@ To learn about *planned* changes that are coming soon to Security Center, see [I
 ## April 2021
 
 Updates in April include:
-- [Four new recommendations related to guest configuration (preview)](#four-new-recommendations-related-to-guest-configuration-preview)
+- [Recently pulled container registry images are now rescanned weekly (General Availability)](#recently-pulled-container-registry-images-are-now-rescanned-weekly-general-availability)
 - [Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)](#use-azure-defender-for-kubernetes-to-protect-hybrid-and-multi-cloud-kubernetes-deployments-preview)
+- [Four new recommendations related to guest configuration (preview)](#four-new-recommendations-related-to-guest-configuration-preview)
+- [CMK recommendations moved to best practices security control](#cmk-recommendations-moved-to-best-practices-security-control)
 - [11 Azure Defender alerts deprecated](#11-azure-defender-alerts-deprecated)
 - [Two recommendations from "Apply system updates" security control were deprecated](#two-recommendations-from-apply-system-updates-security-control-were-deprecated)
 
-### Four new recommendations related to guest configuration (preview)
+### Recently pulled container registry images are now rescanned weekly (General Availability)
 
-Azure's [Guest Configuration extension](../governance/policy/concepts/guest-configuration.md) reports to Security Center to help ensure your virtual machines' in-guest settings are hardened. The extension isn't required for Arc enabled servers because it's included in the Arc Connected Machine agent. The extension requires a system-managed identity on the machine.
+Azure Defender for container registries includes a built-in vulnerability scanner. This scanner immediately scans any image you push to your registry and any image pulled within the last 30 days.
 
-We've added four new recommendations to Security Center to make the most of this extension.
-
-- Two recommendations prompt you to install the extension and its required system-managed identity:
-    - **Guest Configuration extension should be installed on your machines**
-    - **Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity**
+New vulnerabilities are discovered every day. With this update, container images that were pulled from your registries during the last 30 days will be **rescanned** every week. This ensures that newly discovered vulnerabilities are identified in your images.
 
-- When the extension is installed and running, it'll begin auditing your machines and you'll be prompted to harden settings such as configuration of the operating system and environment settings. These two recommendations will prompt you to harden your Windows and Linux machines as described:
-    - **Windows Defender Exploit Guard should be enabled on your machines**
-    - **Authentication to Linux machines should require SSH keys**
+Scanning is charged on a per image basis, so there's no additional charge for these rescans.
 
-Learn more in [Understand Azure Policy's Guest Configuration](../governance/policy/concepts/guest-configuration.md).
+Learn more about this scanner in [Use Azure Defender for container registries to scan your images for vulnerabilities](defender-for-container-registries-usage.md).
 
 
 ### Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (preview)
@@ -66,6 +62,40 @@ Learn more in [Use Azure Defender for Kubernetes with your on-premises and multi
 
 :::image type="content" source="media/defender-for-kubernetes-azure-arc/extension-recommendation.png" alt-text="Azure Security Center's recommendation for deploying the Azure Defender extension for Azure Arc enabled Kubernetes clusters." lightbox="media/defender-for-kubernetes-azure-arc/extension-recommendation.png":::
 
+### Four new recommendations related to guest configuration (preview)
+
+Azure's [Guest Configuration extension](../governance/policy/concepts/guest-configuration.md) reports to Security Center to help ensure your virtual machines' in-guest settings are hardened. The extension isn't required for Arc enabled servers because it's included in the Arc Connected Machine agent. The extension requires a system-managed identity on the machine.
+
+We've added four new recommendations to Security Center to make the most of this extension.
+
+- Two recommendations prompt you to install the extension and its required system-managed identity:
+    - **Guest Configuration extension should be installed on your machines**
+    - **Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity**
+
+- When the extension is installed and running, it'll begin auditing your machines and you'll be prompted to harden settings such as configuration of the operating system and environment settings. These two recommendations will prompt you to harden your Windows and Linux machines as described:
+    - **Windows Defender Exploit Guard should be enabled on your machines**
+    - **Authentication to Linux machines should require SSH keys**
+
+Learn more in [Understand Azure Policy's Guest Configuration](../governance/policy/concepts/guest-configuration.md).
+
+### CMK recommendations moved to best practices security control
+
+Every organization's security program includes data encryption requirements. By default, Azure customers' data is encrypted at rest with service-managed keys. However, customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs let you encrypt your data with an [Azure Key Vault](../key-vault/general/overview.md) key created and owned by you. This gives you full control and responsibility for the key lifecycle, including rotation and management.
+
+Azure Security Center's security controls are logical groups of related security recommendations, and reflect your vulnerable attack surfaces. Each control has a maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources. The **Implement security best practices** security control is worth zero points. So recommendations in this control don't affect your secure score.
+
+The recommendations listed below are being moved to the **Implement security best practices** security control to better reflect their optional nature. This move ensures that these recommendations are in the most appropriate control to meet their objective.
+
+- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
+- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
+- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
+- Container registries should be encrypted with a customer-managed key (CMK)
+- SQL managed instances should use customer-managed keys to encrypt data at rest
+- SQL servers should use customer-managed keys to encrypt data at rest
+- Storage accounts should use customer-managed key (CMK) for encryption
+
+Learn which recommendations are in each security control in [Security controls and their recommendations](secure-score-security-controls.md#security-controls-and-their-recommendations).
+
 
 ### 11 Azure Defender alerts deprecated
 

articles/security-center/release-notes.md

@@ -5,10 +5,35 @@
   - name: Security
     tocHref: /azure/
     topicHref: /azure/security/index
+
 - name: Azure
   tocHref: /azure/
   topicHref: /azure/index
   items:
   - name: Security
     tocHref: /azure/architecture/
-    topicHref: /azure/security/index
+    topicHref: /azure/security/index
+
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:
+  - name: Security
+    tocHref: /azure/active-directory/
+    topicHref: /azure/Security/index
+    items:
+    - name: Fundamentals
+      tocHref: /azure/active-directory/authentication
+      topicHref: /azure/security/fundamentals/index
+
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:
+  - name: Security
+    tocHref: /azure/architecture/
+    topicHref: /azure/Security/index
+    items:
+    - name: Fundamentals
+      tocHref: /azure/architecture/framework/security
+      topicHref: /azure/security/fundamentals/index