MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/devices/TOC.yml
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/TOC.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/devices/enterprise-state-roaming-enable.md
Lines changed: 1 addition & 3 deletions b/‎articles/active-directory/devices/enterprise-state-roaming-enable.md
Lines changed: 1 addition & 3 deletions
diff --git a/‎articles/active-directory/devices/enterprise-state-roaming-faqs.yml
Lines changed: 20 additions & 25 deletions b/‎articles/active-directory/devices/enterprise-state-roaming-faqs.yml
Lines changed: 20 additions & 25 deletions
@@ -737,7 +737,7 @@ The NumFromDate function converts a DateTime value to Active Directory format th
 
 | Name | Required/ Repeating | Type | Notes |
 | --- | --- | --- | --- |
-| **value** |Required | String | Date time string in the supported format. For supported formats, see https://msdn.microsoft.com/library/8kb3ddd4%28v=vs.110%29.aspx. |
+| **value** |Required | String | Date time string in [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format. If the date variable is in a different format, use [FormatDateTime](#formatdatetime) function to convert the date to ISO 8601 format. |
 
 **Example:**
 * Workday example 
 
@@ -30,7 +30,7 @@ Admins can use the MFA Server Migration Utility to target single users or groups
 - The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You don’t have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.
 - The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings.
 - AD FS running Windows Server 2016 or higher is required to provide MFA authentication on any AD FS relying parties, not including Azure AD and Office 365. 
-- Review your AD FS claims rules and make sure none requires MFA to be performed on-premises as part of the authentication process.
+- Review your AD FS access control policies and make sure none requires MFA to be performed on-premises as part of the authentication process.
 - Staged rollout can target a maximum of 500,000 users (10 groups containing a maximum of 50,000 users each).
 
 ## Migration guide
@@ -453,4 +453,4 @@ Set the **Staged Rollout for Azure MFA** to **Off**. Users will once again be re
 ## Next steps
 
 - [Overview of how to migrate from MFA Server to Azure AD Multi-Factor Authentication](how-to-migrate-mfa-server-to-azure-mfa.md)
-- [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md)
+- [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md)
@@ -76,7 +76,7 @@
     items:
     - name: Enable enterprise state roaming
       href: enterprise-state-roaming-enable.md
-    - name: Enable enterprise state FAQs
+    - name: Enterprise state roaming FAQs
       href: enterprise-state-roaming-faqs.yml
     - name: Troubleshoot enterprise state roaming
       href: enterprise-state-roaming-troubleshooting.md
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 02/15/2022
+ms.date: 11/17/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,8 +19,6 @@ ms.collection: M365-identity-device-management
 
 Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard [consumer settings sync](https://go.microsoft.com/fwlink/?linkid=2015135) that was first introduced in Windows 8. Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license. For more information on how to get an Azure AD subscription, see the [Azure AD product page](https://azure.microsoft.com/services/active-directory). 
 
-When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license for Azure Rights Management protection from Azure Information Protection. This free subscription is limited to encrypting and decrypting enterprise settings and application data synced by Enterprise State Roaming. You must have [a paid subscription](https://azure.microsoft.com/services/information-protection/) to use the full capabilities of the Azure Rights Management service.
-
 > [!NOTE]
 > This article applies to the Microsoft Edge Legacy HTML-based browser launched with Windows 10 in July 2015. The article does not apply to the new Microsoft Edge Chromium-based browser released on January 15, 2020. For more information on the Sync behavior for the new Microsoft Edge, see the article [Microsoft Edge Sync](/deployedge/microsoft-edge-enterprise-sync).
 
 
@@ -7,13 +7,13 @@ metadata:
   ms.service: active-directory
   ms.subservice: devices
   ms.topic: faq
-  ms.date: 02/25/2022
+  ms.date: 11/17/2022
   ms.author: joflore
   author: MicrosoftGuyJFlo
   manager: amycolannino
-  ms.reviewer: guovivian
+  ms.reviewer: guovivian, nahafez
   ms.collection: M365-identity-device-management
-title: Settings and data roaming FAQ
+title: Settings and data roaming FAQ for administrators
 summary: This article answers some questions IT administrators might have about settings and app data sync.
 
 
@@ -23,36 +23,36 @@ sections:
       - question: |
           What account is used for settings sync?
         answer: |
-          In Windows 8.1, settings sync always used consumer Microsoft accounts. Enterprise users had the ability to connect a Microsoft account to their Active Directory domain account to gain access to settings sync. In Windows 10, this connected Microsoft account functionality is being replaced with a primary/secondary account framework.
+          In Windows 8.1, settings sync always used consumer Microsoft accounts. Enterprise users had the ability to connect a Microsoft account to their Active Directory domain account to gain access to settings sync. In Windows 10 and newer, this connected Microsoft account functionality is being replaced with a primary/secondary account framework.
           
-          The primary account is defined as the account used to sign in to Windows. This can be a Microsoft account, an Azure Active Directory (Azure AD) account, an on-premises Active Directory account, or a local account. In addition to the primary account, Windows 10 users can add one or more secondary cloud accounts to their device. A secondary account is generally a Microsoft account, an Azure AD account, or some other account such as Gmail or Facebook. These secondary accounts provide access to additional services such as single sign-on and the Windows Store, but they aren't capable of powering settings sync.
+          The primary account is defined as the account used to sign in to Windows. This can be a Microsoft account, an Azure Active Directory (Azure AD) account, an on-premises Active Directory account, or a local account. In addition to the primary account, Windows 10 and newer users can add one or more secondary cloud accounts to their device. A secondary account is generally a Microsoft account, an Azure AD account, or some other account such as Gmail or Facebook. These secondary accounts provide access to additional services such as single sign-on and the Windows Store, but they aren't capable of powering settings sync.
           
           Data is never mixed between the different user accounts on the device. There are two rules for settings sync:
           
           * Windows settings will always roam with the primary account.
           * App data will be tagged with the account used to acquire the app. Only apps tagged with the primary account will sync. App ownership tagging is determined when an app is side-loaded through the Windows Store or mobile device management (MDM).
           
-          If an application owner can't be identified, it will roam with the primary account. If a device is upgraded from Windows 8 or Windows 8.1 to Windows 10, all the apps will be tagged as acquired by the Microsoft account. This is because most users acquire apps through the Windows Store, and there was no Windows Store support for Azure AD accounts prior to Windows 10. If an app is installed via an offline license, the app will be tagged using the primary account on the device.
+          If an application owner can't be identified, it will roam with the primary account. If a device is upgraded from Windows 8 or Windows 8.1 to Windows 10 and newer, all the apps will be tagged as acquired by the Microsoft account. This is because most users acquire apps through the Windows Store, and there was no Windows Store support for Azure AD accounts prior to Windows 10. If an app is installed via an offline license, the app will be tagged using the primary account on the device.
           
           > [!NOTE]
-          > Windows 10 or newer devices that are enterprise-owned and are connected to Azure AD can no longer connect their Microsoft accounts to a domain account. The ability to connect a Microsoft account to a domain account and have all the user's data sync to the Microsoft account (that is, the Microsoft account roaming via the connected Microsoft account and Active Directory functionality) is removed from Windows 10 devices that are joined to a connected Active Directory or Azure AD environment.
+          > Windows 10 or newer devices that are enterprise-owned and are connected to Azure AD can no longer connect their Microsoft accounts to a domain account. The ability to connect a Microsoft account to a domain account and have all the user's data sync to the Microsoft account (that is, the Microsoft account roaming via the connected Microsoft account and Active Directory functionality) is removed from Windows 10 and newer devices that are joined to a connected Active Directory or Azure AD environment.
           
       - question: |
           How do I upgrade from Microsoft account settings sync in Windows 8 to Azure AD settings sync in Windows 10 or newer?
         answer: |
-          If you're joined to the Active Directory domain running Windows 8.1 with a connected Microsoft account, you'll sync settings through your Microsoft account. After upgrading to Windows 10, you'll continue to sync user settings via Microsoft account as long as you're a domain-joined user and the Active Directory domain doesn't connect with Azure AD.
+          If you're joined to the Active Directory domain running Windows 8.1 with a connected Microsoft account, you'll sync settings through your Microsoft account. After upgrading to Windows 10 and newer, you'll continue to sync user settings via Microsoft account as long as you're a domain-joined user, and the Active Directory domain doesn't connect with Azure AD.
           
-          If the on-premises Active Directory domain does connect with Azure AD, your device will attempt to sync settings using the connected Azure AD account. If the Azure AD administrator doesn't enable Enterprise State Roaming, your connected Azure AD account will stop syncing settings. If you're a Windows 10 user and you sign in with an Azure AD identity, you'll start syncing windows settings as soon as your administrator enables settings sync via Azure AD.
+          If the on-premises Active Directory domain does connect with Azure AD, your device will attempt to sync settings using the connected Azure AD account. If the Azure AD administrator doesn't enable Enterprise State Roaming, your connected Azure AD account will stop syncing settings. If you're running Windows 10 and newer and you sign in with an Azure AD identity, you'll start syncing windows settings as soon as your administrator enables settings sync via Azure AD.
           
-          If you stored any personal data on your corporate device, you should be aware that Windows OS and application data will begin syncing to Azure AD. This has the following implications:
+          If you stored any personal data on your corporate device, you should know Windows OS and application data will begin syncing to Azure AD. This has the following implications:
           
           * Your personal Microsoft account settings will drift apart from the settings on your work or school Azure AD accounts. This is because the Microsoft account and Azure AD settings sync are now using separate accounts.
           * Personal data such as Wi-Fi passwords, web credentials, and Internet Explorer favorites that were previously synced via a connected Microsoft account will be synced via Azure AD.
           
       - question: |
           How do Microsoft account and Azure AD Enterprise State Roaming interoperability work?
         answer: |
-          In the November 2015 or later releases of Windows 10, Enterprise State Roaming is only supported for a single account at a time. If you sign in to Windows by using a work or school Azure AD account, all data will sync via Azure AD. If you sign in to Windows by using a personal Microsoft account, all data will sync via the Microsoft account. Universal app data will roam using only the primary sign-in account on the device, and it will roam only if the app’s license is owned by the primary account. Universal app data for the apps owned by any secondary accounts won't be synced.
+          In the November 2015 or later releases of Windows 10, Enterprise State Roaming is only supported for a single account at a time. If you sign in to Windows by using a work or school Azure AD account, all data will sync via Azure AD. If you sign in to Windows by using a personal Microsoft account, all data will sync via the Microsoft account. Universal app data will roam using only the primary sign-in account on the device, and it will roam only if the app's license is owned by the primary account. Universal app data for the apps owned by any secondary accounts won't be synced.
 
       - question: |
           Do settings sync for Azure AD accounts from multiple tenants?
@@ -85,16 +85,16 @@ sections:
           Enterprise State Roaming stores all synced data in the Microsoft cloud. UE-V offers an on-premises roaming solution.
 
       - question: |
-          Who owns the data that's being roamed?
+          How is the data secured?
         answer: |
-          The enterprises own the data roamed via Enterprise State Roaming. Data is stored in an Azure datacenter. All user data is encrypted both in transit and at rest in the cloud using the Azure Rights Management service from Azure Information Protection. This is an improvement compared to Microsoft account-based settings sync, which encrypts only certain sensitive data such as user credentials before it leaves the device.
-          
-          Microsoft is committed to safeguarding customer data. An enterprise user's settings data is automatically encrypted by the Azure Rights Management service before it leaves a Windows 10 device, so no other user can read this data. If your organization has a paid subscription for the Azure Rights Management service, you can use other protection features, such as track and revoke documents, automatically protect emails that contain sensitive information, and manage your own keys (the "bring your own key" solution, also known as BYOK). For more information about these features and how this protection service works, see [What is Azure Rights Management](/azure/information-protection/what-is-information-protection).
+          Prior to Nov 2022 all user data was secured using [Azure Rights Management](/azure/information-protection/what-is-information-protection).
+
+          Starting in November 2022, Microsoft no longer uses Azure Rights Management for all data encryption. Microsoft is committed to safeguarding customer data. Certain sensitive data such as passwords will be encrypted client side with keys derived from the Azure AD tenant to ensure an extra layer of security. All user data (including non-sensitive data) will be encrypted in transit and at rest in the cloud. For a list of sensitive and non-sensitive data items roamed, see [Windows roaming settings reference](enterprise-state-roaming-windows-settings-reference.md).
           
       - question: |
           Can I manage sync for a specific app or setting?
         answer: |
-          In Windows 10 or newer, there's no MDM or Group Policy setting to disable roaming for an individual application. Tenant administrators can disable app data sync for all apps on a managed device, but there's no finer control at a per-app or within-app level.
+          In Windows 10 or newer, administrators can disable sync for all settings sync groups on a managed device with MDM or Group Policy.
 
       - question: |
           How can I enable or disable roaming?
@@ -104,23 +104,18 @@ sections:
       - question: |
           What is Microsoft's recommendation for enabling roaming in Windows 10 or newer?
         answer: |
-          Microsoft has a few different settings roaming solutions available, including Roaming User Profiles, UE-V, and Enterprise State Roaming.  If your organization isn't ready or comfortable with moving data to the cloud, then we recommend that you use UE-V as your primary roaming technology. If your organization requires roaming support for existing Windows desktop applications but is eager to move to the cloud, we recommend that you use both Enterprise State Roaming and UE-V. Although UE-V and Enterprise State Roaming are very similar technologies, they aren't mutually exclusive. They complement each other to help ensure that your organization provides the roaming services that your users need.  
+          Microsoft has a few different settings roaming solutions available, including UE-V and Enterprise State Roaming.  If your organization isn't ready or comfortable with moving data to the cloud, then we recommend that you use UE-V as your primary roaming technology. If your organization requires roaming support for existing Windows desktop applications but is eager to move to the cloud, we recommend that you use both Enterprise State Roaming and UE-V. Although UE-V and Enterprise State Roaming are similar technologies, they aren't mutually exclusive. They complement each other to help ensure that your organization provides the roaming services that your users need.  
           
-          When using both Enterprise State Roaming and UE-V, the following rules apply:
+          When using both Enterprise State Roaming and UE-V, Enterprise State Roaming is the primary roaming agent on the device. UE-V is being used to supplement Win32 applications.
           
           * Enterprise State Roaming is the primary roaming agent on the device. UE-V is being used to supplement the “Win32 gap.”
-          * UE-V roaming for Windows settings and modern UWP app data should be disabled when using the UE-V group policies. These are already covered by Enterprise State Roaming.
+          * UE-V roaming for Windows settings and modern UWP app data should be disabled when using the UE-V group policies. These settings are already covered by Enterprise State Roaming.
           
       - question: |
           How does Enterprise State Roaming support virtual desktop infrastructure (VDI)?
         answer: |
           Enterprise State Roaming is supported on Windows 10 or newer client SKUs, but not on server SKUs. If a client VM is hosted on a hypervisor machine and you remotely sign in to the virtual machine, your data will roam. If multiple users share the same OS and users remotely sign in to a server for a full desktop experience, roaming might not work. The latter session-based scenario isn't officially supported.
-
-      - question: |
-          What happens when my organization purchases a subscription that includes Azure Rights Management after using roaming?
-        answer: |
-          If your organization is already using roaming in Windows 10 or newer with the Azure Rights Management limited-use free subscription, purchasing a [paid subscription](https://azure.microsoft.com/services/information-protection/) that includes the Azure Rights Management protection service won't have any impact on the functionality of the roaming feature, and no configuration changes will be required by your IT administrator.
-          
+         
 additionalContent: |
 
   ## Next steps