Merge pull request #221797 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: rmca14

articles/applied-ai-services/form-recognizer/whats-new.md

@@ -305,7 +305,7 @@ Form Recognizer service is updated on an ongoing basis. Bookmark this page to st
 ---
 * [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio) June release is the latest update to the Form Recognizer Studio. There are considerable user experience and accessibility improvements addressed in this update:
 
-  * **Code sample for Javascript and C#**. The Studio code tab now adds JavaScript and C# code samples in addition to the existing Python one.
+  * **Code sample for JavaScript and C#**. The Studio code tab now adds JavaScript and C# code samples in addition to the existing Python one.
   * **New document upload UI**. Studio now supports uploading a document with drag & drop into the new upload user interface.
   * **New feature for custom projects**. Custom projects now support creating storage account and blobs when configuring the project. In addition, custom project now supports uploading training files directly within the Studio and copying the existing custom model.
 

articles/azure-monitor/agents/azure-monitor-agent-manage.md

@@ -391,7 +391,7 @@ Policy initiatives for Windows and Linux virtual machines, scale sets consist of
 #### Known issues
 
 - Managed Identity default behavior. [Learn more](../../active-directory/managed-identities-azure-resources/managed-identities-faq.md#what-identity-will-imds-default-to-if-dont-specify-the-identity-in-the-request).
-- Possible rare condition with using built-in user-assigned identity creation policy. [Learn more](../../active-directory/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy.md#known-issues).
+- Possible race condition with using built-in user-assigned identity creation policy. [Learn more](../../active-directory/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy.md#known-issues).
 - Assigning policy to resource groups. If the assignment scope of the policy is a resource group and not a subscription, the identity used by policy assignment (different from the user-assigned identity used by agent) must be manually granted [these roles](../../active-directory/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy.md#required-authorization) prior to assignment/remediation. Failing to do this step will result in *deployment failures*.
 - Other [Managed Identity limitations](../../active-directory/managed-identities-azure-resources/managed-identities-faq.md#limitations).
 

articles/defender-for-cloud/plan-defender-for-servers-agents.md

@@ -96,8 +96,6 @@ Before deployment, verify operating system support for agents and extensions.
 - [Check requirements](../azure-arc/servers/prerequisites.md) for Azure Arc Connect Machine agent.
 - Check operating system support for the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md#supported-operating-systems) and [Azure Monitor agent](../azure-monitor/agents/agents-overview.md)
 
-
-
 ## Review agent provisioning
 
 When you enable Defender for Cloud plans, including Defender for Servers, you can select to automatically provision a number of agents. These are the agents that are relevant for Defender for Servers:
@@ -120,7 +118,6 @@ Manual installation | If you don't want Defender for Cloud to provision the Log
 [Operations Manager agent](faq-data-collection-agents.yml#what-if-a-system-center-operations-manager-agent-is-already-installed-on-my-vm-) | The Log Analytics agent can work side-by-side with the Operations Manager agent. The agents share common runtime libraries which will be updated when the Log Analytics agent is deployed.
 Removing the Log Analytics extension | If you remove the Log Analytics extension, Defender for Cloud won't be able to collect security data and recommendations/alerts will be missing. Within 24 hours, Defender for Cloud will determine that the extension is missing and reinstalls it.
 
-
 ## When shouldn't I use auto provisioning?
 
 You might want to opt out of automatic provisioning in the following circumstances.
@@ -131,13 +128,12 @@ You have critical VMs that shouldn't have agents installed. | Log Analytics agen
 If you're running the System Center Operations Manager agent version 2012 with Operations Manager 2012  | Log Analytics agent | With this configuration, don't turn on automatic provisioning, otherwise management capabilities might be lost.
 You want to configure a custom workspace | Log Analytics agent, Azure Monitor agent | You have two options with a custom workspace:<br/><br/> - Opt out of automatic provisioning when you first set up Defender for Cloud. Then, configure provisioning on your custom workspace.<br/><br/>- Let automatic provisioning run to install the Log Analytic agents on machines. Set a custom workspace, and then when asked, reconfigure existing VMs with the new workspace setting.
 
-
 ## Next steps
 
 After working through these planning steps, you can start deployment:
 
 - [Enable Defender for Servers](enable-enhanced-security.md) plans
-- [Connect on-premises machines](quickstart-onboard-aws.md) to Azure.
+- [Connect on-premises machines](quickstart-onboard-machines.md) to Azure.
 - [Connect AWS accounts](quickstart-onboard-aws.md) to Defender for Cloud.
 - [Connect GCP projects](quickstart-onboard-gcp.md) to Defender for Cloud.
 - Learn about [scaling your Defender for Server deployment](plan-defender-for-servers-scale.md).

articles/external-attack-surface-management/understanding-asset-details.md

@@ -200,7 +200,7 @@ Below the Web components section, users can view a list of all CVEs applicable t
 
 ### Resources
 
-The Resources tab provides insight on any JavaScript resources running on any page or host assets. When applicable to a host, these resources are aggregated to represent the Javascript running on all pages on that host. This section provides an inventory of the JavaScript detected on each asset so that your organization has full visibility into these resources and can detect any changes. Defender EASM provides the resource URL and host, MD5 value, and first and last seen dates to help organizations effectively monitor the use of Javascript resources across their inventory.
+The Resources tab provides insight on any JavaScript resources running on any page or host assets. When applicable to a host, these resources are aggregated to represent the JavaScript running on all pages on that host. This section provides an inventory of the JavaScript detected on each asset so that your organization has full visibility into these resources and can detect any changes. Defender EASM provides the resource URL and host, MD5 value, and first and last seen dates to help organizations effectively monitor the use of JavaScript resources across their inventory.
 
 ![Screenshot of resources tab](media/Inventory_12.png)
 

articles/machine-learning/how-to-troubleshoot-environments.md

@@ -53,12 +53,51 @@ Running a training script remotely requires the creation of a Docker image.
 
 ## Reproducibility and vulnerabilities
 
-Over time vulnerabilities are discovered and Docker images that correspond to AzureML environments may be flagged by scanning tools.
-Updates for AzureML based images are released regularly, with a commitment of no unpatched vulnerabilities older than 30 days in the latest version of the image.
-It's your responsibility to evaluate the threat and address vulnerabilities in environments.
-Not all the vulnerabilities are exploitable, so you need to use your judgment when choosing between reproducibility and resolving vulnerabilities.
-> [!IMPORTANT]
-> There's no guarantee that the same set of Python dependencies will be materialized with an image rebuild or for a new environment with the same set of Python dependencies. 
+### Vulnerabilities
+
+Vulnerabilities can be addressed by upgrading to a newer version of a dependency or migrating to a different dependency that satisfies security
+requirements. Mitigating vulnerabilities is time consuming and costly since it can require refractoring of code and infrastructure. With the prevalence
+of open source software and the use of complicated nested dependencies, it's important to manage and keep track of vulnerabilities.
+
+There are some ways to decrease the impact of vulnerabilities:
+
+- Reduce your number of dependencies - use the minimal set of the dependencies for each scenario.
+- Compartmentalize your environment so issues can be scoped and fixed in one place.
+- Understand flagged vulnerabilities and their relevance to your scenario.
+
+### Vulnerabilities vs Reproducibility
+
+Reproducibility is one of the foundations of software development. While developing production code, a repeated operation must guarantee the same
+result. Mitigating vulnerabilities can disrupt reproducibility by changing dependencies.
+
+AzureML's primary focus is to guarantee reproducibility. Environments can broadly be divided into three categories: curated,
+user-managed, and system-managed.
+
+**Curated environments** are pre-created environments that are managed by Azure Machine Learning (AzureML) and are available by default in every AzureML workspace provisioned.
+
+Intended to be used as is, they contain collections of Python packages and settings to help you get started with various machine learning frameworks.
+These pre-created environments also allow for faster deployment time.
+
+In **user-managed environments**, you're responsible for setting up your environment and installing every package that your training script needs on the
+compute target and for model deployment. These types of environments are represented by two subtypes:
+
+- BYOC (bring your own container): the user provides a Docker image to AzureML
+- Docker build context: AzureML materializes the image from the user provided content
+
+Once you install more dependencies on top of a Microsoft-provided image, or bring your own base image, vulnerability
+management becomes your responsibility.
+
+You use **system-managed environments** when you want conda to manage the Python environment for you. A new isolated conda environment is materialized
+from your conda specification on top of a base Docker image. While Azure Machine Learning patches base images with each release, whether you use the
+latest image may be a tradeoff between reproducibility and vulnerability management. So, it's your responsibility to choose the environment version used
+for your jobs or model deployments while using system-managed environments.
+
+Associated to your Azure Machine Learning workspace is an Azure Container Registry instance that's used as a cache for container images. Any image
+materialized is pushed to the container registry and used if experimentation or deployment is triggered for the corresponding environment. Azure
+Machine Learning does not delete any image from your container registry, and it's your responsibility to evaluate which images you need to maintain over time. Users
+can monitor and maintain environment hygiene with [Microsoft Defender for Container Registry](../defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md)
+to help scan images for vulnerabilities. To
+automate this process based on triggers from Microsoft Defender, see [Automate responses to Microsoft Defender for Cloud triggers](../defender-for-cloud/workflow-automation.md).
 
 ## **Environment definition problems**
 

articles/private-5g-core/azure-private-5g-core-release-notes-2211.md

@@ -68,8 +68,8 @@ The following table provides a summary of known issues carried over from the pre
   |No.  |Feature  | Issue |
   |-----|-----|-----|
   | 1 | Policy configuration  | Azure Private 5G Core may ignore non-default QoS and Policy configuration when handling 4G subscribers.  | 
-  | 2 | Packet forwarding  | Azure Private 5G Core local dashboards may show incorrect values in some graphs (e.g. session counts) after a power cycle of the server.   | 
-  | 3 | Local dashboards  | Azure Private 5G Core local dashboards may show incorrect values in some graphs (e.g. session counts) after a power cycle of the server.   | 
+  | 2 | Packet forwarding  | Azure Private 5G Core may not forward buffered packets if NAT is enabled.   | 
+
 
 
 

articles/site-recovery/azure-to-azure-support-matrix.md

@@ -284,7 +284,7 @@ Managed disk - standard | Supported in Azure regions in which Azure Site Recover
 Managed disk - premium | Supported in Azure regions in which Azure Site Recovery is supported. |
 Disk subscription limits | Up to 3000 protected disks per Subscription | Ensure that the Source or Target subscription does not have more than 3000 Azure Site Recovery-protected Disks (Both Data and OS).
 Standard SSD | Supported |
-Redundancy | LRS and GRS are supported.<br/><br/> ZRS isn't supported.
+Redundancy | LRS, ZRS, and GRS are supported.
 Cool and hot storage | Not supported | VM disks aren't supported on cool and hot storage
 Storage Spaces | Supported |
 NVMe storage interface | Not supported
@@ -306,7 +306,7 @@ DRBD | Disks that are part of a DRBD setup are not supported. |
 LRS | Supported |
 GRS | Supported |
 RA-GRS | Supported |
-ZRS | Not supported | 
+ZRS | Supported | 
 Cool and Hot Storage | Not supported | Virtual machine disks are not supported on cool and hot storage
 Azure Storage firewalls for virtual networks  | Supported | If restrict virtual network access to storage accounts, enable [Allow trusted Microsoft services](../storage/common/storage-network-security.md#exceptions).
 General purpose V2 storage accounts (Both Hot and Cool tier) | Supported | Transaction costs increase substantially compared to General purpose V1 storage accounts

articles/virtual-machines/workloads/sap/automation-configure-devops.md

@@ -161,7 +161,7 @@ Name of code repository: 'sap-automation', source: 'https://github.com/Azure/sap
 Name of sample and template repository: 'sap-samples', source: 'https://github.com/Azure/sap-automation-samples.git'
 
 #### Running the code directly from GitHub
-If you want to run the code directly from GitHub you need to provide credentials for Azure DevOps to be able to pull the content from Github
+If you want to run the code directly from GitHub you need to provide credentials for Azure DevOps to be able to pull the content from GitHub.
 #### Creating the GitHub Service connection
 
 To pull the code from GitHub, you need a GitHub service connection. For more information, see [Manage service connections](/azure/devops/pipelines/library/service-endpoints?view=azure-devops&preserve-view=true)
@@ -170,7 +170,7 @@ To create the service connection, go to Project settings and navigate to the Ser
 
 :::image type="content" source="./media/automation-devops/automation-create-service-connection.png" alt-text="Picture showing how to create a Service connection":::
 
-Choose _Github_ as the service connection type. Choose 'Azure Pipelines' in the OAuth Configuration drop-down.
+Choose _GitHub_ as the service connection type. Choose 'Azure Pipelines' in the OAuth Configuration drop-down.
 
 Click 'Authorize' to log on to GitHub.
 

articles/vpn-gateway/azure-vpn-client-optional-configurations.md

@@ -77,7 +77,7 @@ To add custom DNS servers, modify the downloaded profile XML file and add the **
 
 	<dnsservers>
 		<dnsserver>x.x.x.x</dnsserver>
-        <dnsserver>y.y.y.y</dnsserver>
+        	<dnsserver>y.y.y.y</dnsserver>
 	</dnsservers>
 
 </clientconfig>
@@ -122,6 +122,10 @@ You can configure forced tunneling in order to direct all traffic to the VPN tun
   </clientconfig>
   </azvpnprofile>
   ```
+  
+> [!NOTE]
+> - The default status for the clientconfig tag is `<clientconfig i:nil="true" />`, which can be modified based on the requirement.
+> - A duplicate clientconfig tag is not supported on macOS, so make sure the clientconfig tag is not duplicated in the XML file.
 
 ### Add custom routes
 
@@ -135,6 +139,9 @@ You can add custom routes. Modify the downloaded profile XML file and add the **
 		<route>
 			<destination>x.x.x.x</destination><mask>24</mask>
 		</route>
+		<route>
+    			<destination>y.y.y.y</destination><mask>24</mask>
+    		</route>
 	</includeroutes>
 
 </clientconfig>
@@ -153,15 +160,18 @@ You block (exclude) routes. Modify the downloaded profile XML file and add the *
 		<route>
 			<destination>x.x.x.x</destination><mask>24</mask>
 		</route>
+		<route>
+    			<destination>y.y.y.y</destination><mask>24</mask>
+    		</route>
 	</excluderoutes>
 
 </clientconfig>
 </azvpnprofile>
 ```
 
 > [!NOTE]
-> - The default status for clientconfig tag is <clientconfig i:nil="true" />, which can be modified based on the requirement.
-> - Duplicate clientconfig tag is not supported on macOS, so make sure the clientconfig tag is not duplicated in the XML file.
+> - To include/exclude multiple destination routes, put each destination address under a separate route tag _(as shown in the above examples)_, because multiple destination addresses in a single route tag won't work.
+> - If you encounter the error "_Destination cannot be empty or have more than one entry inside route tag_", check the profile XML file and ensure that the includeroutes/excluderoutes section has only one destination address inside a route tag.
 >
 
 ## Next steps