Merge branch 'main' of http://github.com/MicrosoftDocs/azure-docs-pr into aca/getting-started

Author: craigshoemaker

articles/active-directory/devices/plan-device-deployment.md

@@ -237,6 +237,7 @@ Administrators can also [deploy virtual desktop infrastructure (VDI) platforms](
 
 ## Next steps
 
+* [Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics)
 * [Plan your Azure AD join implementation](device-join-plan.md)
 * [Plan your hybrid Azure AD join implementation](hybrid-join-plan.md)
 * [Manage device identities](manage-device-identities.md)

articles/defender-for-cloud/enable-pull-request-annotations.md

@@ -149,7 +149,7 @@ Once you've completed these steps, you can select the build pipeline you created
 1. (Optional) Select a category from the drop-down menu. 
 
     > [!NOTE]
-    > Only secret scan results and Infrastructure-as-Code misconfigurations for ARM/Bicep templates are currently supported.
+    > Only secret scan results and Infrastructure-as-Code misconfigurations (ARM, Bicep, Terraform, CloudFormation, Dockerfiles, Helm Charts, and more) are currently supported.
 
 1. (Optional) Select a severity level from the drop-down menu.
 

articles/storage/files/storage-files-identity-auth-hybrid-identities-enable.md

@@ -195,7 +195,7 @@ Enable the Azure AD Kerberos functionality on the client machine(s) you want to
 
 Use one of the following three methods:
 
-- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled)
+- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled), set to 1
 - Configure this group policy on the client(s): `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`
 - Create the following registry value on the client(s): `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1`
 
@@ -217,6 +217,29 @@ Add an entry for each storage account that uses on-premises AD DS integration. U
 
 Changes aren't instant, and require a policy refresh or a reboot to take effect.
 
+## Undo the client configuration to retrieve Kerberos tickets
+
+If you no longer want to use a client machine for Azure AD Kerberos authentication, you can disable the Azure AD Kerberos functionality on that machine. Use one of the following three methods:
+
+- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled), set to 0
+- Configure this group policy on the client(s): `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`
+- Create the following registry value on the client(s): `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 0`
+
+Changes are not instant, and require a policy refresh or a reboot to take effect.
+
+If you followed the steps in [Configure coexistence with storage accounts using on-premises AD DS](#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds), you can optionally remove all host name to Kerberos realm mappings from the client machine. Use one of the following three methods:
+
+- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm)
+- Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`
+- Run the `ksetup` Windows command on the client(s): `ksetup /delhosttorealmmap <hostname> <realmname>`
+  - For example, `ksetup /delhosttorealmmap <your storage account name>.file.core.windows.net contoso.local`
+  - You can view the list of current host name to Kerberos realm mappings by inspecting the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm`.
+
+Changes aren't instant, and require a policy refresh or a reboot to take effect.
+
+> [!IMPORTANT]
+> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for Azure AD Kerberos authentication. However, they will be able to connect to storage accounts configured to AD DS, without any additional configuration.
+
 ## Disable Azure AD authentication on your storage account
 
 If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI.

includes/policy/reference/bycat/policies-healthcare-apis.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---

includes/policy/reference/bycat/policies-internet-of-things.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---

includes/policy/reference/bycat/policies-key-vault.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---

includes/policy/reference/bycat/policies-kubernetes.md

@@ -2,13 +2,14 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---
 
 |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
 |---|---|---|---|
+|[\[Preview\]: \[Image Integrity\] Kubernetes clusters should only use images signed by notation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf426bb8-b320-4321-8545-1b784a5df3a4) |Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit [https://aka.ms/aks/image-integrity](https://aka.ms/aks/image-integrity) |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json) |
 |[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](../../../../articles/defender-for-cloud/defender-for-containers-enable.md). |AuditIfNotExists, Disabled |[6.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |
 |[\[Preview\]: Cannot Edit Individual Nodes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53a4a537-990c-495a-92e0-7c21a465442c) |Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. |Audit, Deny, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json) |
 |[\[Preview\]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F708b60a6-d253-4fe0-9114-4be4c00f012c) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](../../../../articles/defender-for-cloud/defender-for-containers-enable.md). |DeployIfNotExists, Disabled |[7.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Deploy.json) |

includes/policy/reference/bycat/policies-lab-services.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---

includes/policy/reference/bycat/policies-lighthouse.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---

includes/policy/reference/bycat/policies-logic-apps.md

@@ -2,7 +2,7 @@
 author: davidsmatlak
 ms.service: azure-policy
 ms.topic: include
-ms.date: 08/25/2023
+ms.date: 08/30/2023
 ms.author: davidsmatlak
 ms.custom: generated
 ---