revise with eng feedback

aczechowski · aczechowski · commit 2422a87fc61e · 2022-03-11T17:11:40.000-08:00
diff --git a/memdocs/configmgr/apps/deploy-use/create-app-groups.md b/memdocs/configmgr/apps/deploy-use/create-app-groups.md
@@ -2,7 +2,7 @@
 title: Create application groups
 titleSuffix: Configuration Manager
 description: Create a group of applications that you can send to a user or device collection as a single deployment in Configuration Manager.
-ms.date: 12/01/2021
+ms.date: 03/11/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-app
 ms.topic: how-to
@@ -78,8 +78,8 @@ Starting in version 2111, you can use the following [app approval](app-approval.
 - The following deployment options may not work: alerts, phased deployment, repair.
 - You can't use application groups with the **Install Application** task sequence step.
 - You can't export or import app groups.
-- Don't include in the group any apps that require restart, or the group deployment may fail.
-- In 2107 and earlier, if you delete an app that's a part of an app group, you'll see the following warning when you next view the properties of the app group: "Unable to load information about all applications in the group." Make a small change to the app group and save it. For example, add a space to the **Administrator comments**. When you save the change, it removes the deleted app from the group.<!-- 7099542 --> Starting in version 2111, you can't delete an app that's part of an app group.
+- In version 2103 and earlier, don't include in the group any apps that require restart, or the group deployment may fail.
+- In version 2107 and earlier, if you delete an app that's a part of an app group, you'll see the following warning when you next view the properties of the app group: "Unable to load information about all applications in the group." Make a small change to the app group and save it. For example, add a space to the **Administrator comments**. When you save the change, it removes the deleted app from the group.<!-- 7099542 --> Starting in version 2111, you can't delete an app that's part of an app group.
 - In most scenarios, user categories on the app group don't display as filters in Software Center. If the app group is deployed as available to a user collection, the categories display.<!-- 12425254 -->
 
 ## PowerShell
diff --git a/memdocs/configmgr/core/clients/manage/cmg/manually-register-azure-ad-apps.md b/memdocs/configmgr/core/clients/manage/cmg/manually-register-azure-ad-apps.md
@@ -2,7 +2,7 @@
 title: Manually register Azure AD apps
 titleSuffix: Configuration Manager
 description: Manually create the required apps in Azure Active Directory (Azure AD) to integrate the Configuration Manager site to support the cloud management gateway (CMG).
-ms.date: 08/24/2021
+ms.date: 03/11/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-client
 ms.topic: how-to
@@ -147,7 +147,7 @@ The web (server) app for CMG is now registered in Azure AD.
 
     1. Under Advanced settings, set **Allow public client flows** to **Yes**. Select **Save**.
 
-1. If you're going to use Azure AD User Discovery in Configuration Manager, you need to adjust the permissions on this app. In the menu of the app properties, select **API permissions**. By default it should have the **User.Read** delegated permission for the **Microsoft Graph** API.
+1. Adjust the permissions on this app. In the menu of the app properties, select **API permissions**. By default it should have the **User.Read** delegated permission for the **Microsoft Graph** API.
 
     1. On the API permissions pane, select **Add a permission**.
 
diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2107.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2107.md
@@ -229,7 +229,7 @@ For more information, see [Cryptographic controls technical reference](../securi
 
 <!--9217033-->
 
-Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM). The certificate is also marked non-exportable.
+Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0. The certificate is also marked non-exportable.
 
 If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It uses its self-signed certificate for signing messages with the site.
 
diff --git a/memdocs/configmgr/core/plan-design/security/certificates-overview.md b/memdocs/configmgr/core/plan-design/security/certificates-overview.md
@@ -77,7 +77,7 @@ For more information on how to install clients with a copy of the site server si
 
 <!--9217033-->
 
-Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107 or later, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM). The certificate is also marked non-exportable.
+Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107 or later, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0. The certificate is also marked non-exportable.
 
 If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It uses its self-signed certificate for signing messages with the site. For more information, see [PKI certificate requirements](../network/pki-certificate-requirements.md).
 
@@ -86,7 +86,7 @@ If the client also has a PKI-based certificate, it continues to use that certifi
 
 When you update to version 2107 or later, clients with PKI certificates will recreate self-signed certificates, but don't reregister with the site. Clients without a PKI certificate will reregister with the site, which can cause extra processing at the site. Make sure that your process to update clients allows for randomization. If you simultaneously update lots of clients, it may cause a backlog on the site server.
 
-Configuration Manager doesn't use TPMs that are known vulnerable. If a device has a vulnerable TPM, the client falls back to using a software-based KSP. The certificate is still not exportable.
+Configuration Manager doesn't use TPMs that are known vulnerable. For example, the TPM version is earlier than 2.0. If a device has a vulnerable TPM, the client falls back to using a software-based KSP. The certificate is still not exportable.
 
 OS deployment media doesn't use hardware-bound certificates, it continues to use self-signed certificates from the site. You create the media on a device that has the console, but then it can run on any client.
 
