Merge branch 'main' into release-ga-purview-policy

Author: v-alje

articles/active-directory/authentication/concept-authentication-strengths.md

@@ -205,15 +205,14 @@ An authentication strength Conditional Access policy works together with [MFA tr
   - Email one-time pass (Guest)
   - Hardware-based OATH token
 
-- **Conditional Access What-if tool** – When running the what-if tool, it will return policies that require authentication strength correctly. However, when clicking on the authentication strength name, a name page is open with additional information about the methods the user can use. This information may be incorrect.
-
 - **Authentication strength is not enforced on Register security information user action** – If an Authentication strength Conditional Access policy targets **Register security information** user action, the policy would not apply. 
 
-- **Conditional Access audit log** – When a Conditional Access policy with the authentication strength grant control is created or updated in the Azure AD portal, the auditing log includes details about the policy that was updated, but doesn't include the details about which authentication strength is referenced by the Conditional Access policy. This issue doesn't exist when a policy is created or updated By using Microsoft Graph APIs.
-
 - **Using 'Require one of the selected controls' with 'require authentication strength' control** - After you select authentication strengths grant control and additional controls, all the selected controls must be satisfied in order to gain access to the resource. Using **Require one of the selected controls** isn't applicable, and will default to requiring all the controls in the policy.
 
-- **Authentication loop** - when the user is required to use Microsoft Authenticator (Phone Sign-in) but the user is not registered for this method, they will be given instructions on how to set up the Microsoft Authenticator, that does not include how to enable Passwordless sign-in. As a result, the user can get into an authentication loop. To avoid this issue, make sure the user is registered for the method before the Conditional Access policy is enforced. Phone Sign-in can be registered using the steps outlined here: [Add your work or school account to the Microsoft Authenticator app](https://support.microsoft.com/en-us/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c)
+- **Authentication loop** can happen in one of the following scenarios: 
+1. **Microsoft Authenticator (Phone Sign-in)** -  When the user is required to use Microsoft Authenticator (Phone Sign-in) but the user is not registered for this method, they will be given instructions on how to set up the Microsoft Authenticator, that does not include how to enable Passwordless sign-in. As a result, the user can get into an authentication loop. To avoid this issue, make sure the user is registered for the method before the Conditional Access policy is enforced. Phone Sign-in can be registered using the steps outlined here: [Add your work or school account to the Microsoft Authenticator app ("Sign in with your credentials")](https://support.microsoft.com/en-us/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c)
+2. **Conditional Access Policy is targeting all apps** - When the Conditional Access policy is targeting "All apps" but the user is not registered for any of the methods required by the authentication strength, the user will get into an authentication loop. To avoid this issue, target specific applications in the Conditional Access policy or make sure the user is registered for at least one of the authentication methods required by the authentication strength Conditional Access policy.
+
 
 ## Limitations
 

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 10/21/2022
+ms.date: 10/27/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -43,7 +43,9 @@ Number matching is available for the following scenarios. When enabled, all scen
 >[!NOTE]
 >For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience. 
 
-Number matching is available for sign-in for Azure Government. It's available for combined registration two weeks after General Availability. Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.
+Number matching is available for sign-in for Azure Government. However, it's currently not available for Authenticator setup in combined registration. Number matching will be available for Authenticator setup in [combined registration](howto-registration-mfa-sspr-combined.md) by November 30, 2022 for Azure Government.
+
+Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.
 
 ### Multifactor authentication
 
@@ -57,7 +59,7 @@ During self-service password reset, the Authenticator app notification will show
 
 ### Combined registration
 
-When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification. Number matching will be available for combined registration in Azure Government two weeks after General Availability.
+When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification. Number matching will be available for Authenticator setup in combined registration in Azure Government by November 30, 2022.
 
 ### AD FS adapter
 

articles/active-directory/devices/TOC.yml

@@ -53,13 +53,15 @@
       - name: Troubleshoot hybrid Azure AD joined Windows current version
         href: troubleshoot-hybrid-join-windows-current.md
       - name: Troubleshoot pending device state
-        href: /troubleshoot/azure/active-directory/pending-devices
+        href: /troubleshoot/azure/active-directory/pending-devices?toc=/azure/active-directory/fundamentals/toc.json
       - name: Troubleshoot using dsregcmd
         href: troubleshoot-device-dsregcmd.md
       - name: Troubleshoot hybrid Azure AD joined down level Windows devices
         href: troubleshoot-hybrid-join-windows-legacy.md
   - name: Manage device identities
     href: device-management-azure-portal.md
+  - name: Troubleshooting Windows devices
+    href: troubleshoot-device-windows-joined.md
   - name: Manage stale devices
     href: manage-stale-devices.md
   - name: Azure Linux VMs and Azure AD

articles/active-directory/devices/media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png

@@ -0,0 +1,38 @@
+---
+title: Troubleshoot registered, hybrid, and Azure AD joined Windows machines
+description: This article helps you troubleshoot hybrid Azure Active Directory-joined Windows 10 and Windows 11 devices
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: devices
+ms.topic: troubleshooting
+ms.date: 08/29/2022
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: amycolannino
+ms.reviewer: jogro
+---
+# Troubleshooting Windows devices in Azure AD
+
+If you have a Windows 11 or Windows 10 device that isn't working with Azure Active Directory (Azure AD) correctly, start your troubleshooting here.
+
+1. Sign in to the **Azure portal**.
+1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**.
+1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter.
+   :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png":::
+1. Select **instructions** and follow the steps to download, run, and collect the required logs for the troubleshooter to analyze.
+1. Return to the Azure portal when you've collected and zipped the `authlogs` folder and contents.
+1. Select **Browse** and choose the zip file you wish to upload.
+   :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png" alt-text="A screenshot showing how to browse to select the logs gathered in the previous step to allow the troubleshooter to make recommendations." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows-upload.png":::
+
+The troubleshooter will review the contents of the file you uploaded and provide suggested next steps. These next steps may include links to documentation or contacting support for further assistance.
+
+## Next steps
+
+- [Troubleshoot devices by using the dsregcmd command](troubleshoot-device-dsregcmd.md)
+- [Troubleshoot hybrid Azure AD-joined devices](troubleshoot-hybrid-join-windows-current.md)
+- [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md)
+- [Troubleshoot pending device state](/troubleshoot/azure/active-directory/pending-devices)
+- [MDM enrollment of Windows 10-based devices](/windows/client-management/mdm/mdm-enrollment-of-windows-devices)
+- [Troubleshooting Windows device enrollment errors in Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors)

articles/active-directory/devices/media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: troubleshooting
-ms.date: 02/15/2022
+ms.date: 08/29/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -508,7 +508,7 @@ Use Event Viewer to look for the log entries that are logged by the Azure AD Clo
 > [!NOTE]
 > When you're collecting network traces, it's important to *not* use Fiddler during repro.
 
-1.    Run `netsh trace start scenario=internetClient_dbg capture=yes persistent=yes`.
+1. Run `netsh trace start scenario=internetClient_dbg capture=yes persistent=yes`.
 1. Lock and unlock the device. For hybrid-joined devices, wait a minute or more to allow the PRT acquisition task to finish.
 1. Run `netsh trace stop`.
 1. Share the *nettrace.cab* file with Support.