Merge pull request #216326 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 10/28

Author: ttorble

articles/active-directory/devices/TOC.yml

@@ -53,13 +53,15 @@
       - name: Troubleshoot hybrid Azure AD joined Windows current version
         href: troubleshoot-hybrid-join-windows-current.md
       - name: Troubleshoot pending device state
-        href: /troubleshoot/azure/active-directory/pending-devices
+        href: /troubleshoot/azure/active-directory/pending-devices?toc=/azure/active-directory/fundamentals/toc.json
       - name: Troubleshoot using dsregcmd
         href: troubleshoot-device-dsregcmd.md
       - name: Troubleshoot hybrid Azure AD joined down level Windows devices
         href: troubleshoot-hybrid-join-windows-legacy.md
   - name: Manage device identities
     href: device-management-azure-portal.md
+  - name: Troubleshooting Windows devices
+    href: troubleshoot-device-windows-joined.md
   - name: Manage stale devices
     href: manage-stale-devices.md
   - name: Azure Linux VMs and Azure AD

articles/active-directory/devices/media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png

@@ -0,0 +1,38 @@
+---
+title: Troubleshoot registered, hybrid, and Azure AD joined Windows machines
+description: This article helps you troubleshoot hybrid Azure Active Directory-joined Windows 10 and Windows 11 devices
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: devices
+ms.topic: troubleshooting
+ms.date: 08/29/2022
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: amycolannino
+ms.reviewer: jogro
+---
+# Troubleshooting Windows devices in Azure AD
+
+If you have a Windows 11 or Windows 10 device that isn't working with Azure Active Directory (Azure AD) correctly, start your troubleshooting here.
+
+1. Sign in to the **Azure portal**.
+1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**.
+1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter.
+   :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png":::
+1. Select **instructions** and follow the steps to download, run, and collect the required logs for the troubleshooter to analyze.
+1. Return to the Azure portal when you've collected and zipped the `authlogs` folder and contents.
+1. Select **Browse** and choose the zip file you wish to upload.
+   :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png" alt-text="A screenshot showing how to browse to select the logs gathered in the previous step to allow the troubleshooter to make recommendations." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png":::
+
+The troubleshooter will review the contents of the file you uploaded and provide suggested next steps. These next steps may include links to documentation or contacting support for further assistance.
+
+## Next steps
+
+- [Troubleshoot devices by using the dsregcmd command](troubleshoot-device-dsregcmd.md)
+- [Troubleshoot hybrid Azure AD-joined devices](troubleshoot-hybrid-join-windows-current.md)
+- [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md)
+- [Troubleshoot pending device state](/troubleshoot/azure/active-directory/pending-devices)
+- [MDM enrollment of Windows 10-based devices](/windows/client-management/mdm/mdm-enrollment-of-windows-devices)
+- [Troubleshooting Windows device enrollment errors in Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors)

articles/active-directory/devices/media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: troubleshooting
-ms.date: 02/15/2022
+ms.date: 08/29/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -508,7 +508,7 @@ Use Event Viewer to look for the log entries that are logged by the Azure AD Clo
 > [!NOTE]
 > When you're collecting network traces, it's important to *not* use Fiddler during repro.
 
-1.    Run `netsh trace start scenario=internetClient_dbg capture=yes persistent=yes`.
+1. Run `netsh trace start scenario=internetClient_dbg capture=yes persistent=yes`.
 1. Lock and unlock the device. For hybrid-joined devices, wait a minute or more to allow the PRT acquisition task to finish.
 1. Run `netsh trace stop`.
 1. Share the *nettrace.cab* file with Support.

articles/active-directory/devices/troubleshoot-device-windows-joined.md

@@ -78,7 +78,7 @@ To enable self-service application access to an application, follow the steps be
 
 1. Select the **Save** button at the top of the pane to finish.
 
-Once you complete self-service application configuration, users can navigate to their My Apps portal and select **Add self-service apps** to find the apps that are enabled with self-service access. Business approvers also see a notification in their My Apps portal. You can enable an email notifying them when a user has requested access to an application that requires their approval.
+Once you complete self-service application configuration, users can navigate to their My Apps portal and select **Request new apps** to find the apps that are enabled with self-service access. Business approvers also see a notification in their My Apps portal. You can enable an email notifying them when a user has requested access to an application that requires their approval.
 
 ## Next steps
 

articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md

@@ -4,7 +4,7 @@ description: Learn how to configure a cluster in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
 ms.custom: ignite-2022
-ms.date: 10/04/2022
+ms.date: 10/28/2022
 ---
 
 # Configure an AKS cluster
@@ -369,7 +369,7 @@ This enables an OIDC Issuer URL of the provider which allows the API server to d
 
 ### Prerequisites
 
-* The Azure CLI version 2.40.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 * AKS version 1.22 and higher. If your cluster is running version 1.21 and the OIDC Issuer preview is enabled, we recommend you upgrade the cluster to the minimum required version supported.
 
 ### Create an AKS cluster with OIDC Issuer

articles/active-directory/manage-apps/manage-self-service-access.md

@@ -36,11 +36,13 @@ A conceptual overview of this feature is available in [Cluster extensions - Azur
 * [Azure CLI](/cli/azure/install-azure-cli) version >= 2.16.0 installed.
 
 > [!NOTE]
-> If you have enabled [AAD-based pod identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it,
-> we recommend you first review [Migrate to workload identity][migrate-workload-identity] to understand our
+> If you have enabled [Azure AD pod-managed identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it,
+> we recommend you first review [Workload identity overview][workload-identity-overview] to understand our
 > recommendations and options to set up your cluster to use an Azure AD workload identity (preview).
 > This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities
 > to federate with any external identity providers.
+>
+> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
 
 ### Set up the Azure CLI extension for cluster extensions
 
@@ -189,7 +191,8 @@ az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-g
 [gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md
 [k8s-extension-reference]: /cli/azure/k8s-extension
 [use-managed-identity]: ./use-managed-identity.md
-[migrate-workload-identity]: workload-identity-overview.md
+[workload-identity-overview]: workload-identity-overview.md
+[use-azure-ad-pod-identity]: use-azure-ad-pod-identity.md
 
 <!-- EXTERNAL -->
 [arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all

articles/aks/cluster-configuration.md

@@ -18,7 +18,7 @@ The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides a variet
 An [Azure AD workload identity][workload-identity] is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer where Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).
 
 > [!NOTE]
-> This authentication method replaces pod-managed identity (preview).
+> This authentication method replaces Azure AD pod-managed identity (preview). The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
 
 ### Prerequisites
 

articles/aks/cluster-extensions.md

@@ -131,7 +131,7 @@ helm install ingress-nginx/ingress-nginx --generate-name \
 The ingress controller’s deployment will reference the Secrets Store CSI Driver's Azure Key Vault provider.
 
 > [!NOTE]
-> If not using Azure Active Directory (AAD) pod identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME`
+> If not using Azure Active Directory (Azure AD) pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME`
 
 ```bash
 helm install ingress-nginx/ingress-nginx --generate-name \