MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/partner-gallery.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/partner-gallery.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
Lines changed: 3 additions & 2 deletions b/‎articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/howto-sspr-windows.md
Lines changed: 12 additions & 13 deletions b/‎articles/active-directory/authentication/howto-sspr-windows.md
Lines changed: 12 additions & 13 deletions
diff --git a/‎articles/active-directory/authentication/media/concept-certificate-based-authentication-certificateuserids/alt-security-identity-outbound.png
-5.74 KB b/‎articles/active-directory/authentication/media/concept-certificate-based-authentication-certificateuserids/alt-security-identity-outbound.png
-5.74 KB
diff --git a/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 1 addition & 1 deletion
@@ -102,13 +102,13 @@ Microsoft partners with the following ISVs for Web Application Firewall (WAF).
 |  ![Screenshot of Azure WAF logo](./media/partner-gallery/azure-web-application-firewall-logo.png) | [Azure WAF](./partner-azure-web-application-firewall.md) provides centralized protection of your web applications from common exploits and vulnerabilities.  |
 ![Screenshot of Cloudflare logo](./media/partner-gallery/cloudflare-logo.png) | [Cloudflare](./partner-cloudflare.md) is a WAF provider that helps organizations protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS. |
 
-## Identity verification tools 
+## Developer tools 
 
 Microsoft partners with the following ISVs for tools that can help with implementation of your authentication solution.
 
 | ISV partner | Description and integration walkthroughs |
 |:-------------------------|:--------------|
-| ![Screenshot of a grit ief editor logo.](./media/partner-gallery/grit-logo.png) | [Grit Visual Identity Experience Framework Editor](./partner-grit-editor.md) is a tool that saves time during authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys.|
+| ![Screenshot of a grit ief editor logo.](./media/partner-gallery/grit-logo.png) | [Grit Visual Identity Experience Framework Editor](./partner-grit-editor.md) provides a low code/no code experience for developers to create sophisticated authentication user journeys. The tool comes with integrated debugger and templates for the most used scenarios.|
 
 ## Additional information
 
 
@@ -134,8 +134,9 @@ To map the pattern supported by certificateUserIds, administrators must use expr
 You can use the following expression for mapping to SKI and SHA1-PUKEY:
 
 ```
-(Contains([alternativeSecurityId],"x509:\<SKI>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SKI match found."))
-& IIF(Contains([alternativeSecurityId],"x509:\<SHA1-PUKEY>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SHA1-PUKEY match found."))
+IF(IsPresent([alternativeSecurityId]),
+                Where($item,[alternativeSecurityId],BitOr(InStr($item, "x509:<SKI>"),InStr($item, "x509:<SHA1-PUKEY>"))>0),[alternativeSecurityId]
+)
 ```
 
 ## Look up certificateUserIds using Microsoft Graph queries
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 03/18/2022
+ms.date: 10/13/2022
 
 ms.author: justinha
 author: justinha
@@ -17,9 +17,9 @@ ms.collection: M365-identity-device-management
 ---
 # Enable Azure Active Directory self-service password reset at the Windows sign-in screen
 
-Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, and 10, you can enable users to reset their password at the Windows sign-in screen.
+Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the [SSPR portal](https://aka.ms/sspr). To improve the experience on computers that run Windows 7, 8, 8.1, 10, and 11 you can enable users to reset their password at the Windows sign-in screen.
 
-![Example Windows 7 and 10 login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
+![Example Windows login screens with SSPR link shown](./media/howto-sspr-windows/windows-reset-password.png)
 
 > [!IMPORTANT]
 > This tutorial shows an administrator how to enable SSPR for Windows devices in an enterprise.
@@ -37,7 +37,6 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
 - Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
 - If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article [Performance poor when using custom default user profile](https://support.microsoft.com/help/4056823/performance-issue-with-custom-default-user-profile).
 - The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
-    - If Ctrl+Alt+Del is required by policy in Windows 10, **Reset password** won't work.
     - If lock screen notifications are turned off, **Reset password** won't work.
     - *HideFastUserSwitching* is set to enabled or 1
     - *DontDisplayLastUserName* is set to enabled or 1
@@ -55,11 +54,11 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
 > These limitations also apply to Windows Hello for Business PIN reset from the device lock screen.
 >
 
-## Windows 10 password reset
+## Windows 11 and 10 password reset
 
-To configure a Windows 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
+To configure a Windows 11 or 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.
 
-### Windows 10 prerequisites
+### Windows 11 and 10 prerequisites
 
 - An administrator [must enable Azure AD self-service password reset from the Azure portal](tutorial-enable-sspr.md).
 - Users must register for SSPR before using this feature at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup)
@@ -71,17 +70,17 @@ To configure a Windows 10 device for SSPR at the sign-in screen, review the foll
     - Azure AD joined
     - Hybrid Azure AD joined
 
-### Enable for Windows 10 using Microsoft Endpoint Manager
+### Enable for Windows 11 and 10 using Microsoft Endpoint Manager
 
 Deploying the configuration change to enable SSPR from the login screen using Microsoft Endpoint Manager is the most flexible method. Microsoft Endpoint Manager allows you to deploy the configuration change to a specific group of machines you define. This method requires Microsoft Endpoint Manager enrollment of the device.
 
 #### Create a device configuration policy in Microsoft Endpoint Manager
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and select **Endpoint Manager**.
 1. Create a new device configuration profile by going to **Device configuration** > **Profiles**, then select **+ Create Profile**
-   - For **Platform** choose *Windows 10 and later*
+   - For **Platform** choose *Windows 11 and later*
    - For **Profile type**, choose *Custom*
-1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 10 sign-in screen SSPR*
+1. Select **Create**, then provide a meaningful name for the profile, such as *Windows 11 sign-in screen SSPR*
 
     Optionally, provide a meaningful description of the profile, then select **Next**.
 1. Under *Configuration settings*, select **Add** and provide the following OMA-URI setting to enable the reset password link:
@@ -99,7 +98,7 @@ Deploying the configuration change to enable SSPR from the login screen using Mi
 1. Configure applicability rules as desired for your environment, such as to *Assign profile if OS edition is Windows 10 Enterprise*, then select **Next**.
 1. Review your profile, then select **Create**.
 
-### Enable for Windows 10 using the Registry
+### Enable for Windows 11 and 10 using the Registry
 
 To enable SSPR at the sign-in screen using a registry key, complete the following steps:
 
@@ -112,13 +111,13 @@ To enable SSPR at the sign-in screen using a registry key, complete the followin
        "AllowPasswordReset"=dword:00000001
     ```
 
-### Troubleshooting Windows 10 password reset
+### Troubleshooting Windows 11 and 10 password reset
 
 If you have problems with using SSPR from the Windows sign-in screen, the Azure AD audit log includes information about the IP address and *ClientType* where the password reset occurred, as shown in the following example output:
 
 ![Example Windows 7 password reset in the Azure AD Audit log](media/howto-sspr-windows/windows-7-sspr-azure-ad-audit-log.png)
 
-When users reset their password from the sign-in screen of a Windows 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
+When users reset their password from the sign-in screen of a Windows 11 or 10 device, a low-privilege temporary account called `defaultuser1` is created. This account is used to keep the password reset process secure.
 
 The account itself has a randomly generated password, which is validated against an organizations password policy, doesn't show up for device sign-in, and is automatically removed after the user resets their password. Multiple `defaultuser` profiles may exist but can be safely ignored.
 
 
@@ -112,7 +112,7 @@ The following device attributes can be used with the filter for devices conditio
 | --- | --- | --- | --- |
 | deviceId | Equals, NotEquals, In, NotIn | A valid deviceId that is a GUID | (device.deviceid -eq "498c4de7-1aee-4ded-8d5d-000000000000") |
 | displayName | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.displayName -contains "ABC") |
-| deviceOwnership | Equals, NotEquals | Supported values are "Personal" for bring your own devices and "Company" for corprate owned devices  | (device.deviceOwnership -eq "Company") |
+| deviceOwnership | Equals, NotEquals | Supported values are "Personal" for bring your own devices and "Company" for corporate owned devices  | (device.deviceOwnership -eq "Company") |
 | isCompliant | Equals, NotEquals | Supported values are "True" for compliant devices and "False" for non compliant devices  | (device.isCompliant -eq "True") |
 | manufacturer | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.manufacturer -startsWith "Microsoft") |
 | mdmAppId | Equals, NotEquals, In, NotIn | A valid MDM application ID | (device.mdmAppId -in ["0000000a-0000-0000-c000-000000000000"] |