diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 2d21a68dd9..155536f5e6 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20520,10 +20520,100 @@
       "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
       "redirect_document_id": true
     },
+    {
+      "source_path": "windows/client-management/mdm/applocker-xsd.md",
+      "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "education/windows/education-scenarios-store-for-business.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/teacher-get-minecraft.md",
+      "redirect_url": "/education/windows/get-minecraft-for-education",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/school-get-minecraft.md",
+      "redirect_url": "/education/windows/get-minecraft-for-education",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
       "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/whats-new/windows-10-insider-preview.md",
+      "redirect_url": "/windows/whats-new",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml
index 41ba94ebb6..25f20730ab 100644
--- a/browsers/edge/microsoft-edge-faq.yml
+++ b/browsers/edge/microsoft-edge-faq.yml
@@ -2,6 +2,7 @@
 metadata:
   title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros
   ms.reviewer: 
+  ms.date: 12/14/2020
   audience: itpro
   manager: dansimp
   description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md
index 30d32a8d1a..2c433182a9 100644
--- a/browsers/enterprise-mode/enterprise-mode.md
+++ b/browsers/enterprise-mode/enterprise-mode.md
@@ -11,7 +11,7 @@ ms.reviewer:
 manager: dansimp
 title: Enterprise Mode for Microsoft Edge
 ms.sitesec: library
-ms.date: ''
+ms.date: 07/17/2018
 ---
 
 # Enterprise Mode for Microsoft Edge
@@ -55,5 +55,3 @@ You can build and manage your Enterprise Mode Site List is by using any generic
 
 
 ### Add multiple sites to the site list
-
-
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 4573423115..2cfad8e8db 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,3 +1,6 @@
+---
+ms.date: 07/17/2018
+---
 Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
 centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
 
diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md
index 34359d6f1b..b10897a3d3 100644
--- a/browsers/enterprise-mode/what-is-enterprise-mode-include.md
+++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md
@@ -1,4 +1,7 @@
+---
+ms.date: 07/17/2018
+---
 ## What is Enterprise Mode?
 Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
 
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
\ No newline at end of file
+Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index bbfd85b95e..c8b17e2ff9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -57,7 +57,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
     > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
 
 -   **Use an update management solution to control update deployment.**
-    If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
+    If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
 
     > [!NOTE]
     > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
@@ -66,7 +66,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t
 
 ## Availability of Internet Explorer 11
 
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS.
+Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Configuration Manager and WSUS.
 
 ## Prevent automatic installation of Internet Explorer 11 with WSUS
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index b795f7aab3..75027dfd9d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -9,6 +9,7 @@ title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Expl
 ms.sitesec: library
 ms.localizationpriority: medium
 manager: dansimp
+ms.date: 02/24/2016
 ---
 
 
@@ -62,4 +63,4 @@ IE11 offers differing experiences in Windows 8.1:
 ## Related topics
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
\ No newline at end of file
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index c0fb369154..1dd3438086 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -50,7 +50,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
 |               Turn off the ability to launch report site problems using a menu option               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Administrative Templates\Windows Components\Internet Explorer\Browser menus                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |            Internet Explorer 11            |                                                                                                                                                                                                                                                                                                                                                                                                                                                           This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.<p>If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.<p>If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 |                        Turn off the flip ahead with page prediction feature                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | At least Internet Explorer 10 on Windows 8 |                                                                                                                                                                                                                                                                                                                                                                           This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.<p>**Note**<br>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.                                                                                                                                                                                                                                                                                                                                                                            |
 | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                   This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.<p>**Important**<br>When using 64-bit processes, some ActiveX controls and toolbars might not be available.                                                                                                                                                                                                                                                                                                                                                    |
-|                                  Turn on Site Discovery WMI output                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                      This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                       |
+|                                  Turn on Site Discovery WMI output                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                      This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                       |
 |                                  Turn on Site Discovery XML output                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                                                            This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 |                               Use the Enterprise Mode IE website list                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |      IE11 on Windows 10, version 1511      |                                                                                                                                                                                                                                                                                                                                                                 This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.<p>If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode.                                                                                                                                                                                                                                                                                                                                                                 |
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 7015595563..2090ed72ef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -33,7 +33,7 @@ Before you begin, you should:
 
 -   **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
 
--   **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network.
+-   **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Configuration Manager, or your network.
 
 -   **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons.
 
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index f72747f486..08899cb2db 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -6,6 +6,7 @@ author: dansimp
 ms.prod: ie11
 ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
 ms.reviewer: 
+ms.date: 03/15/2016
 audience: itpro
 manager: dansimp
 ms.author: dansimp
@@ -60,8 +61,3 @@ You can also click **Select All** to add, or **Clear All** to remove, all of the
  
 
  
-
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 5b662eeca6..d4dde73e8c 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -9,6 +9,7 @@ title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
 ms.sitesec: library
 ms.localizationpriority: medium
 manager: dansimp
+ms.date: 03/15/2016
 ---
 
 
@@ -49,4 +50,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
\ No newline at end of file
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index f3861da706..e41ec1ade3 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -1,3 +1,6 @@
+---
+ms.date: 10/24/2020
+---
 <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
 

 
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index bc030c32e4..b732e77d6d 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -46,6 +46,8 @@ items:
         href: configure-aad-google-trust.md
     - name: Configure Shared PC
       href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
+    - name: Get and deploy Minecraft Education
+      href: get-minecraft-for-education.md
     - name: Use the Set up School PCs app
       href: use-set-up-school-pcs-app.md
     - name: Change Windows edition
@@ -56,16 +58,6 @@ items:
         href: change-to-pro-education.md
       - name: Upgrade Windows Home to Windows Education on student-owned devices
         href: change-home-to-edu.md
-    - name: "Get and deploy Minecraft: Education Edition"
-      items: 
-      - name: "Get Minecraft: Education Edition"
-        href: get-minecraft-for-education.md
-      - name: "For IT administrators: get Minecraft Education Edition"
-        href: school-get-minecraft.md
-      - name: "For teachers: get Minecraft Education Edition"
-        href: teacher-get-minecraft.md
-    - name: Work with Microsoft Store for Education
-      href: education-scenarios-store-for-business.md
     - name: Migrate from Chromebook to Windows
       items: 
         - name: Chromebook migration guide
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index fea632b61a..f92de780a3 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -74,7 +74,7 @@ It's critical that MAKs are protected whenever they're used. The following proce
 - Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp);
     > [!IMPORTANT]
     > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students.
-- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager.
+- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager.
 
 For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
 
@@ -117,7 +117,7 @@ These steps provide instructions on how to use Microsoft Intune to upgrade devic
 
 These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
 
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
 - Select **Tenant administration** > **Filters**
 - Select **Create**
   - Specify a name for the filter (for example *Windows Home edition*)
@@ -142,7 +142,7 @@ These steps configure a filter that will only apply to devices running the *Wind
 
 These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings).
 
-- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
+- Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
 - Select **Devices** > **Configuration profiles**
 - Select **Create profile**
   - Select the **Platform** as **Windows 10 or later**
@@ -177,9 +177,9 @@ The edition upgrade policy will now apply to all existing and new Windows Home e
 
 ### Step 3: Report on device edition
 
-You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console.
+You can check the Windows versions of managed devices in the Microsoft Intune admin center.
 
-- Start in the **Microsoft Endpoint Manager admin console**
+- Start in the **Microsoft Intune admin center**
 - Select **Devices** > **Windows**
 - Select the **Columns** button
 - Select **Sku Family**
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 05c7db8963..969f81b3be 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -346,7 +346,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
 |--- |--- |--- |--- |
 |Use Office 365||✔️|✔️|
 |Use Intune for management||✔️|✔️|
-|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Microsoft Configuration Manager for management|✔️||✔️|
 |Use Group Policy for management|✔️||✔️|
 |Have devices that are domain-joined|✔️||✔️|
 |Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️|
@@ -359,7 +359,7 @@ You may ask the question, “Why plan for device, user, and app management befor
 
 Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
 
-Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
 
 Table 6. Device, user, and app management products and technologies
 
@@ -464,7 +464,7 @@ Use the following Microsoft management systems and the deployment resources to p
 
 - [Windows Autopilot](/mem/autopilot/windows-autopilot)
 
-- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
+- Microsoft Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
 
 - Provisioning packages:
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 4935d37ed7..25b23567fd 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 in a school district (Windows 10)
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Deploy Windows 10 in a school district
 
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for district deployment
 
@@ -125,7 +125,7 @@ Now that you've the plan (blueprint) for your district and individual schools an
 
 The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
 
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
 
 This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
 
@@ -163,7 +163,7 @@ The high-level process for deploying and configuring devices within individual c
 
 6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
 
-7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager.
+7. Import the captured reference images into MDT or Microsoft Configuration Manager.
 
 8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
 
@@ -191,9 +191,9 @@ Before you select the deployment and management methods, you need to review the
 |Scenario feature |Cloud-centric|On-premises and cloud|
 |---|---|---|
 |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Azure AD |
-|Windows 10 deployment   | MDT only  |  Microsoft Endpoint Manager with MDT |
+|Windows 10 deployment   | MDT only  |  Microsoft Configuration Manager with MDT |
 |Configuration setting management  | Intune  |  Group Policy<br/><br/>Intune|
-|App and update management |  Intune |Microsoft Endpoint Configuration Manager<br/><br/>Intune|
+|App and update management |  Intune |Microsoft Configuration Manager<br/><br/>Intune|
 
 *Table 1. Deployment and management scenarios*
 
@@ -205,19 +205,19 @@ These scenarios assume the need to support:
 Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
 
 * You can use Group Policy or Intune to manage configuration settings on a device but not both.
-* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both.
+* You can use Configuration Manager or Intune to manage apps and updates on a device but not both.
 * You can't  manage multiple users on a device with Intune if the device is AD DS domain joined.
 
 Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
 
 ### Select the deployment methods
 
-To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
 
 |Method|Description|
 |--- |--- |
 |MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.<br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) <li> Don’t have an existing AD DS infrastructure. <li> Need to manage devices regardless of where they are (on or off premises). <br>The advantages of this method are that: <br> <li> You can deploy Windows 10 operating systems <li> You can manage device drivers during initial deployment. <li>You can deploy Windows desktop apps (during initial deployment)<li> It doesn’t require an AD DS infrastructure.<li>It doesn’t have extra infrastructure requirements.<li>MDT doesn’t incur extra cost: it’s a free tool.<li>You can deploy Windows 10 operating systems to institution-owned and personal devices. <br> The disadvantages of this method are that it:<br> <li>Can’t manage applications throughout entire application life cycle (by itself).<li>Can’t manage software updates for Windows 10 and apps (by itself).<li>Doesn’t provide antivirus and malware protection (by itself).<li>Has limited scaling to large numbers of users and devices.|
-|Microsoft Endpoint Configuration Manager|<li> Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle <li>You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. <br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). <li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). <li>Typically deploy Windows 10 to on-premises devices. <br> The advantages of this method are that: <li>You can deploy Windows 10 operating systems.<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large number of users and devices. <br>The disadvantages of this method are that it:<li>Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
+|Microsoft Configuration Manager|<li> Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle <li>You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. <br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). <li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). <li>Typically deploy Windows 10 to on-premises devices. <br> The advantages of this method are that: <li>You can deploy Windows 10 operating systems.<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large number of users and devices. <br>The disadvantages of this method are that it:<li>Carries an extra cost for Microsoft Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 2. Deployment methods*
 
@@ -226,7 +226,7 @@ Record the deployment methods you selected in Table 3.
 |Selection | Deployment method|
 |--------- | -----------------|
 |   |MDT by itself |
-|   |Microsoft Endpoint Manager and MDT|
+|   |Microsoft Configuration Manager and MDT|
 
 *Table 3. Deployment methods selected*
 
@@ -260,9 +260,9 @@ Use the information in Table 6 to determine which combination of app and update
 
 |Selection|Management method|
 |--- |--- |
-|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
 |Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that aren't  domain joined.<li>Want to manage Azure AD domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>can't  deploy Windows 10 operating systems.|
-|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br>Select this method when you:<li>Selected Microsoft Endpoint Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
+|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br><br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br><br>Select this method when you:<br><li>Selected Microsoft Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br><br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br><br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -270,9 +270,9 @@ Record the app and update management methods that you selected in Table 7.
 
 |Selection | Management method|
 |----------|------------------|
-|   |Microsoft Endpoint Manager by itself|
+|   |Microsoft Configuration Manager by itself|
 |   |Intune by itself|
-|   |Microsoft Endpoint Manager and Intune (hybrid mode)|
+|   |Microsoft Configuration Manager and Intune (hybrid mode)|
 
 *Table 7. App and update management methods selected*
 
@@ -315,16 +315,16 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
 ### Install the Configuration Manager console
 
 > [!NOTE]
-> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
+> If you selected Microsoft Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
 
 You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers.
 
-For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
+For more information about how to install the Configuration Manager console, see [Install Microsoft Configuration Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
 
 ### Configure MDT integration with the Configuration Manager console
 
 > [!NOTE]
-> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
+> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next.
 
 You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
 
@@ -841,7 +841,7 @@ At the end of this section, you should know the Windows 10 editions and processo
 
 ## Prepare for deployment
 
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
 
 ### Configure the MDT deployment share
 
@@ -851,17 +851,17 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
 |--- |--- |
 |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
 |2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't  play sounds; without the proper camera driver, the device can't  take photos or use video chat.<br>Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
-|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.<br>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.<li>For apps that aren't  offline licensed, obtain the .appx files from the app software vendor directly.<br> <br> If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br>If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br>In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<li>Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.<br>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.<li>For apps that aren't  offline licensed, obtain the .appx files from the app software vendor directly.<br> <br> If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br>If you've Intune or Microsoft Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br>In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<li>Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
 |4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.<br>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).<br> If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.<br>This is the preferred method for deploying and managing Windows desktop apps.<br>**Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) <br>For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
 |5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:<li>Deploy 64-bit Windows 10 Education to devices.<li>Deploy 32-bit Windows 10 Education to devices.<li>Upgrade existing devices to 64-bit Windows 10 Education.<li>Upgrade existing devices to 32-bit Windows 10 Education.<br> <br>Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
 |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br>For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
 
 *Table 16. Tasks to configure the MDT deployment share*
 
-### Configure Microsoft Endpoint Configuration Manager
+### Configure Microsoft Configuration Manager
 
 > [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
 
 Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure.
 
@@ -871,21 +871,21 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
 * [Start using Configuration Manager](/mem/configmgr/core/servers/deploy/start-using)
 
 
-#### To configure an existing Microsoft Endpoint Manager infrastructure for operating system deployment
+#### To configure an existing Microsoft Configuration Manager infrastructure for operating system deployment
 
 1. Perform any necessary infrastructure remediation.
 
-    Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
+    Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
 2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
 
     You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
 
-    You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
+    You can add this content by using Microsoft Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
 3. Add device drivers.
 
     You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
 
-    Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
+    Create a Microsoft Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
 4. Add Windows apps.
 
     Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
@@ -914,14 +914,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
 
     For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
 
-### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+### Configure Windows Deployment Services for Microsoft Configuration Manager
 
 > [!NOTE]
-> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
+> If you've already configured your Microsoft Configuration Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
 
 You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment.
 
-#### To configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
+#### To configure Windows Deployment Services for Microsoft Configuration Manager
 
 1. Set up and configure Windows Deployment Services.
 
@@ -944,7 +944,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage
 
 #### Summary
 
-Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
+Your MDT deployment share and Microsoft Configuration Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
 
 ## Capture the reference image
 
@@ -1015,7 +1015,7 @@ Both the Deployment Workbench and the Configuration Manager console have wizards
 For more information about how to import the reference image into:
 
 * An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](/mem/configmgr/mdt/use-the-mdt#ImportaPreviouslyCapturedImageofaReferenceComputer).
-* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
+* Microsoft Configuration Manager, see [Manage operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
 
 ### Create a task sequence to deploy the reference image
 
@@ -1026,10 +1026,10 @@ As you might expect, both the Deployment Workbench and the Configuration Manager
 For more information about how to create a task sequence in the:
 
 * Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
-* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
+* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
 
 #### Summary
-In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Endpoint Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
+In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
 
 ## Prepare for device management
 
@@ -1095,7 +1095,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
 
 ### Deploy and manage apps by using Intune
 
-If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to deploy and manage apps by using Microsoft Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager) section.
 
 You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages.
 
@@ -1106,9 +1106,9 @@ For more information about how to configure Intune to manage your apps, see the
 - [Protect apps and data with Microsoft Intune](/mem/intune/apps/app-protection-policy)
 - [Help protect your data with full or selective wipe using Microsoft Intune](/mem/intune/remote-actions/devices-wipe)
 
-### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
+### Deploy and manage apps by using Microsoft Configuration Manager
 
-You can use  Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+You can use  Microsoft Configuration Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
 
 For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
 
@@ -1121,7 +1121,7 @@ For more information about how to configure Configuration Manager to deploy and
 
 ### Manage updates by using Intune
 
-If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager) section.
+If you selected to manage updates by using Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager) section.
 
 To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
 
@@ -1133,7 +1133,7 @@ For more information about how to configure Intune to manage updates and malware
 - [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
 - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/mem/intune/protect/endpoint-protection-configure)
 
-### Manage updates by using Microsoft Endpoint Configuration Manager
+### Manage updates by using Microsoft Configuration Manager
 
 To ensure that your users have the most current features and security protection, use the software updates feature in Configuration Manager to manage updates. The software updates feature works in conjunction with WSUS to manage updates for Windows 10 devices.
 
@@ -1146,7 +1146,7 @@ For more information about how to configure Configuration Manager to manage Wind
 
 #### Summary
 
-In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Endpoint Manager to manage your apps. Finally, you configured Intune or Microsoft Endpoint Manager to manage software updates for Windows 10 and your apps.
+In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or Microsoft Configuration Manager to manage your apps. Finally, you configured Intune or Microsoft Configuration Manager to manage software updates for Windows 10 and your apps.
 
 ## Deploy Windows 10 to devices
 
@@ -1159,7 +1159,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these
 |    | Task |
 |:---|:---|
 |**1.** |Ensure that the target devices have sufficient system resources to run Windows 10.|
-|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Endpoint Configuration Manager.|
+|**2.** |Identify the necessary devices drivers, and then import them into the MDT deployment share or Microsoft Configuration Manager.|
 |**3.** |For each Microsoft Store and Windows desktop app, create an MDT application or Configuration Manager application.|
 |**4.** |Notify the students and faculty about the deployment.|
 
@@ -1243,11 +1243,11 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 |Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see "Install, upgrade, & activate" in Windows 10 help.|✔️|✔️|✔️|
 |Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
 |Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br>For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
-|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Configuration Manager](#manage-updates-by-using-microsoft-configuration-manager)|✔️|✔️|✔️|
 |Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br>For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
 |Refresh the operating system and apps on devices.<br>For more information about completing this task, see the following resources:<li>[Prepare for deployment](#prepare-for-deployment)<li>[Capture the reference image](#capture-the-reference-image)<li>[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
-|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
-|Install new or update existing Microsoft Store apps used in the curriculum.<br>Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br>You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. <br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.<br>Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br>You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Configuration Manager, or both in a hybrid configuration. <br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-configuration-manager)||✔️|✔️|
 |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) <li>Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
 |Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure).<br>For more information about how to:<li>Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)<li>Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
 |Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)<li> Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 1655458c44..34726cf380 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -79,13 +79,13 @@ Now that you've the plan (blueprint) for your classroom, you’re ready to learn
 
 The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
 
-You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
 
 MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. 
 
 LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
 
-The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), [Configuration Manager](/mem/configmgr/core/understand/introduction), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
 
 The configuration process requires the following devices:
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
deleted file mode 100644
index 1a86e4e1c4..0000000000
--- a/education/windows/education-scenarios-store-for-business.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-title: Education scenarios Microsoft Store for Education
-description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
-ms.topic: article
-ms.date: 08/10/2022
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
----
-
-# Working with Microsoft Store for Education
-
-Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
-
-Many of the [settings in Microsoft Store for Business](/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.  
-
-## Basic Purchaser role
-Applies to: IT admins
-
-By default, when a teacher with a work or school account signs up for Microsoft Store for Education, the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to: 
-- View the Minecraft: Education Edition product description page 
-- Acquire and manage Minecraft: Education Edition, and other apps from Store for Education
-- Use info on **Support** (including links to documentation and access to support through customer service)
-
-> [!NOTE]
-> People with the **Basic Purchaser** role can only manage (assign and reclaim licenses) for apps that they purchased. They can't manage apps purchased by people with **Purchaser** or **Admin** roles. 
-
-Admins can control whether or not teachers are automatically assigned the **Basic Purchaser** role. You can configure this with **Make everyone a Basic Purchaser**. You'll find this on **Settings**, with **Shop** settings. 
-
-**To manage Make everyone a Basic Purchaser**
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then click **Settings**. 
-3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
-
-> [!NOTE]
-> **Make everyone a Basic Purchaser** is on by default. 
-
-When **Make everyone a Basic Purchaser** is turned off, admins can manually assign the role to teachers. 
-
-**To assign Basic Purchaser role**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, and then choose **Permissions**.
-3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
-
-
-**Blocked Basic Purchasers**
-
-When **Make everyone a Basic Purchaser** is on, admins can still manage which users have the **Basic Purchaser** role. An admin can unassign the **Basic Purchaser** role from a user, and the user is added to a list of **Blocked Basic Purchasers**. Admins can review who are **Basic Purchasers** and **Blocked Basic Purchasers** on **Permissions**. 
-
-## Private store
-
-Applies to: IT admins
-
-When you create your Microsoft Store for Education account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use. 
-
-These apps will automatically be in your private store:
-- Word mobile
-- Excel mobile
-- PowerPoint mobile
-- OneNote
-- Sway
-- Fresh Paint
-- Minecraft: Education Edition
-
-As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
-
-## Manage domain settings 
-
-Applies to: IT admins
-
-### Self-service sign up
-Self-service sign-up makes it easier for users in your organization to sign up for online services from Microsoft. We call this sign up process "self-service sign-up" because your users can sign up to use services paid by your subscription, or use free services, without asking you to take action on their behalf. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
-
-### Domain verification
-For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
-
-## Acquire apps
-Applies to: IT admins and teachers
-
-Find apps for your school using Microsoft Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
- 
-**To acquire apps**
-- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps) 
-
-**To add a payment method - debit or credit card**
-
-If the app you purchase has a price, you’ll need to provide a payment method. 
-- During your purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
- 
-For more information on payment options, see [payment options](/microsoft-store/acquire-apps-windows-store-for-business#payment-options). 
-
-For more information on tax rates, see [tax information](/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information). 
-
-## Manage apps and software
-Applies to: IT admins and teachers
-
-## Manage purchases
-IT admins and teachers in educational settings can purchase apps from Microsoft Store for Education. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default. 
-
-While both groups can purchase apps, they can't manage purchases made by the other group. 
-
-Admins can:
-- Manage and distribute apps they purchased and apps purchased by other admins in the organization. 
-- View apps purchased by teachers.
-- View and manage apps on **Manage**, under **Apps & software**. 
-
-Teachers can:
-- Manage and distribute apps they purchased.
-- View and manage apps on **Manage**, under **Apps & software**. 
-
-> [!NOTE]
-> Teachers with the Basic purchaser role can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
- 
-## Distribute apps
-
-**To manage and distribute apps**
-- For info on how to manage and distribute apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
-
-**To assign an app to a student**
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then choose **Apps & software**.
-3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4. Type the email address, or name for the student that you're assigning the app to, and click **Assign**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
-
-### Purchase more licenses
-Applies to: IT admins and teachers
-
-You can manage current app licenses, or purchase more licenses for apps in **Apps & software**. 
-
-**To purchase additional app licenses**
-1. Click **Manage**, click **Apps & software**, and then click an app. 
-2. Click **Buy more** to purchase more licenses</br>
-
-You'll have a summary of current license availability.  
-
-## Manage order history
-Applies to: IT admins and teachers
-
-You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](/microsoft-store/manage-orders-microsoft-store-for-business). 
-
-It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. 
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 53ac374a11..0c1e50cd52 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
 ---
-title: Get Minecraft Education Edition
-description: Learn how to get and distribute Minecraft Education Edition.
+title: Get and deploy Minecraft Education
+description: Learn how to obtain and distribute Minecraft Education to Windows devices.
 ms.topic: how-to
-ms.date: 08/10/2022
+ms.date: 02/23/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ms.collection:
@@ -11,20 +11,139 @@ ms.collection:
   - tier2
 ---
 
-# Get Minecraft: Education Edition
+# Get and deploy Minecraft Education
 
-[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
+Minecraft Education is a game-based platform that inspires creative and inclusive learning through play. Explore blocky worlds that unlock new ways to tackle any subject or challenge. Dive into subjects like reading, math, history, and coding with lessons and standardized curriculum designed for all types of learners. Or explore and build together in creative open worlds.
 
-<iframe width="501" height="282" src="https://www.youtube-nocookie.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
+**Use it your way**: with hundreds of ready-to-teach lessons, creative challenges, and blank canvas worlds, there are lots of ways to make Minecraft Education work for your students. It's easy to get started, no gaming experience necessary.
 
-Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. 
+**Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM.
 
-## Prerequisites
- 
-- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements).
-- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
-  - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
-  - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
-  - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
+**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.  
 
-[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
+## Minecraft Education key features
+
+- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments  
+- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution  
+- Immersive Reader helps players read and translate text  
+- Camera and Book & Quill items allow documentation and export of in-game creations  
+- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls  
+
+## Try or purchase Minecraft Education
+
+Users in a Microsoft-verified academic organization with Microsoft 365 accounts have [access to a free trial][EDU-1] for Minecraft Education. This grants faculty accounts 25 free logins, and student accounts 10 free logins before a paid license is required to continue playing. Users in non-Microsoft-verified academic organizations have 10 free logins.
+
+Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers.
+
+When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant:
+
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant  
+- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
+
+### Direct purchase
+
+To purchase direct licenses:
+
+1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar
+1. Scroll down and select **Buy Now** under **Direct Purchase**
+1. In the *purchase* page, sign in with an account that has *Billing Admin* privileges in your organization
+1. If necessary, fill in any requested organization or payment information
+1. Select the quantity of licenses you'd like to purchase and select **Place Order**
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+
+### Volume licensing
+
+Qualified education institutions can purchase Minecraft Education licenses through their Microsoft channel partner. Schools need to be part of the *Enrollment for Education Solutions* (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft Education licensing offer is best for their institution. The process looks like this:
+
+1. Your channel partner will submit and process your volume license order
+1. Your licenses will show on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
+1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
+
+### Payment options
+
+You can pay for Minecraft Education with a debit or credit card, or with an invoice.
+
+#### Debit or credit cards
+
+During the purchase, select **Add a new payment method**. Provide the information needed for your debit or credit card.
+
+#### Invoices
+
+Invoices are a supported payment method for Minecraft Education. There are a few requirements:
+
+- $500 invoice minimum for your initial purchase
+- $15,000 invoice maximum (for all invoices within your organization)
+
+To pay with an invoice:
+
+1. During the purchase, select **Add a new payment method.**
+2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
+
+For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1].  
+
+## Assign Minecraft Education licenses
+
+You can assign and manage Minecraft Education licenses from the Microsoft 365 admin center.\
+You must be a *Global*, *License*, or *User admin* to assign licenses. For more information, see [About Microsoft 365 admin roles][M365-2].
+
+1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
+1. From the left-hand menu in Microsoft Admin Center, select *Users*
+1. From the Users list, select the users you want to add or remove for Minecraft Education access
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+    > [!Note]
+    > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
+    > [!Note]
+    > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
+
+:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+
+For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
+
+## Distribute Minecraft Education
+
+There are different ways to install Minecraft Education on Windows devices. You can manually install the app on each device, or you can use a deployment tool to distribute the app to multiple devices.
+If you're using Microsoft Intune to manage your devices, follow these steps to deploy Minecraft Education:
+
+1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
+1. Select **Apps > Windows > Add**
+1. Under *App type*, select **Microsoft Store app (new)** and choose **Select**
+1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education**
+1. Select the app and choose **Select**
+1. On the *App information* screen, select **Next**
+1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education
+    - *Required* means that Intune installs the app without user interaction
+    - *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand
+1. Select **Next**
+1. On the *Review + Create* screen, select **Create**
+
+Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+
+:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+
+For more information how to deploy Minecraft Education, see:
+
+- [Windows installation guide][EDU-6]
+- [Chromebook installation guide][EDU-7]
+- [iOS installation guide][EDU-8]
+- [macOS installation guide][EDU-9]
+
+If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+
+<!--links-->
+[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+[EDU-3]: https://www.microsoft.com/education/products/office
+[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+
+[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+
+[AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/images/minecraft/admin-center-minecraft-license.png b/education/windows/images/minecraft/admin-center-minecraft-license.png
new file mode 100644
index 0000000000..ef96f3ef69
Binary files /dev/null and b/education/windows/images/minecraft/admin-center-minecraft-license.png differ
diff --git a/education/windows/images/minecraft/mcee-invoice-info.png b/education/windows/images/minecraft/mcee-invoice-info.png
deleted file mode 100644
index f4bf29f8b2..0000000000
Binary files a/education/windows/images/minecraft/mcee-invoice-info.png and /dev/null differ
diff --git a/education/windows/images/minecraft/win11-minecraft-education.png b/education/windows/images/minecraft/win11-minecraft-education.png
new file mode 100644
index 0000000000..84a8d86b96
Binary files /dev/null and b/education/windows/images/minecraft/win11-minecraft-education.png differ
diff --git a/education/windows/images/suspcs/2023-02-16_13-02-37.png b/education/windows/images/suspcs/2023-02-16_13-02-37.png
new file mode 100644
index 0000000000..dc396099bf
Binary files /dev/null and b/education/windows/images/suspcs/2023-02-16_13-02-37.png differ
diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md
index a8d82dfea6..c5eee0e2a8 100644
--- a/education/windows/includes/intune-custom-settings-1.md
+++ b/education/windows/includes/intune-custom-settings-1.md
@@ -1,13 +1,13 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 11/08/2022
+ms.date: 02/22/2022
 ms.topic: include
 ---
 
 To configure devices with Microsoft Intune, use a custom policy:
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Go to the <a href="https://intune.micorsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
 2. Select **Devices > Configuration profiles > Create profile**
 3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
 4. Select **Create**
diff --git a/education/windows/index.yml b/education/windows/index.yml
index a84e4b3961..49ca3b7f40 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -12,6 +12,7 @@ metadata:
   ms.collection:
   - education
   - highpri
+  - tier1
   author: paolomatarazzo
   ms.author: paoloma
   ms.date: 08/10/2022
@@ -100,5 +101,5 @@ landingContent:
           url: edu-take-a-test-kiosk-mode.md
         - text: Configure Shared PC
           url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
-        - text: "Deploy Minecraft: Education Edition"
+        - text: Get and deploy Minecraft Education
           url: get-minecraft-for-education.md
\ No newline at end of file
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
deleted file mode 100644
index 150285950b..0000000000
--- a/education/windows/school-get-minecraft.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: For IT administrators get Minecraft Education Edition
-description: Learn how IT admins can get and distribute Minecraft in their schools.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-ms.collection:
-  - highpri
-  - education
-  - tier2
----
-
-# For IT administrators - get Minecraft: Education Edition
-
-When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription, Minecraft: Education Edition will be added to the inventory in your Microsoft Admin Center which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Admin Center is only displayed to members of your organization with administrative roles.
-
->[!Note]
->If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you purchase Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-
-## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers
-
-Schools that purchased Microsoft 365 A3 or Microsoft 365 A5 have an extra option for making Minecraft: Education Edition available to their students:
-
-If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already. 
-
-> [!Note]
-> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions.
-
-After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default).
-
-If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access.
-
-## How to get Minecraft: Education Edition
-
-Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). 
-
-If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). 
-
-### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
-
-1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar.
-
-2. Scroll down and select **Buy Now** under Direct Purchase.
-
-3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.
-
-4. If necessary, fill in any requested organization or payment information.
-
-5. Select the quantity of licenses you would like to purchase and select **Place Order**.
-
-6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
-
-If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
-
-### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing
-
-Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: 
-
-- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. 
-- You'll receive an email with a link to Microsoft Store for Education. 
-- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
-
-## Minecraft: Education Edition payment options
-
-You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice. 
-
-### Debit or credit cards
-
-During the purchase, click **Add a new payment method**. Provide the info needed for your debit or credit card. 
-
-### Invoices
-
-Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
-
-- Admins only (not supported for Teachers)
-- $500 invoice minimum for your initial purchase
-- $15,000 invoice maximum (for all invoices within your organization)
-
-**To pay with an invoice**
-
-1. During the purchase, click **Add a new payment method.**  
-
-2. Select the Invoice option, and provide the info needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
-
-    ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/minecraft/mcee-invoice-info.png)
-
-For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).  
-
-## Distribute Minecraft
-
-After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).
-
-## Learn more
-
-[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
deleted file mode 100644
index f11f1f684a..0000000000
--- a/education/windows/teacher-get-minecraft.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: For teachers get Minecraft Education Edition
-description: Learn how teachers can obtain and distribute Minecraft.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
-ms.collection:
-  - highpri
-  - education
-  - tier2
----
-
-# For teachers - get Minecraft: Education Edition
-
-The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. 
-
-
-## Try Minecraft: Education Edition for Free 
-
-Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
-
-To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download)
-
-## Purchase Minecraft: Education Edition for Teachers and Students
-
-As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. 
-
-M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. 
-
-
-#### Troubleshoot 
-
-If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). 
-
-## Related topics
-
-[Get Minecraft: Education Edition](get-minecraft-for-education.md)
-[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
-
-
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index f70081a995..5b63ea0b0b 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -70,7 +70,7 @@ To create a Windows Update policy:
 For more information, see [Updates and upgrade][INT-6].
 
 > [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
+> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
 > - [<u>What is Windows Update for Business?</u>][WIN-1]
 > - [<u>Manage Windows software updates in Intune</u>][MEM-1]
 
@@ -92,7 +92,7 @@ To create a security policy:
 For more information, see [Security][INT-4].
  
 > [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
+> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
 > - [<u>Antivirus</u>][MEM-2]
 > - [<u>Disk encryption</u>][MEM-3]
 > - [<u>Firewall</u>][MEM-4]
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index 01394b420a..32ff8c37ed 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -54,7 +54,7 @@ Here are the steps for creating a dynamic group for the devices that have an ass
 1. Select **Create group**
     :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
 
-More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
+More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
 
 > [!TIP]
 > You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
@@ -76,7 +76,7 @@ To create an Autopilot deployment profile:
 1. Ensure that **User account type** is configured as **Standard**
 1. Select **Save**
 
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
+While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
 
 ### Configure an Enrollment Status Page
 
@@ -87,7 +87,7 @@ An Enrollment Status Page (ESP) is a greeting page displayed to users while enro
 > [!NOTE]
 > Some Windows Autopilot deployment profiles **require** the ESP to be configured.
 
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
+To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
 
 > [!TIP]
 > While testing the deployment process, you can configure the ESP to:
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 98574366e1..a23afe72b0 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -29,8 +29,8 @@ This content provides a comprehensive path for schools to deploy and manage new
 
 Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
 
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Endpoint Manager services include:
+Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
+Microsoft Intune services include:
 
 - [Microsoft Intune][MEM-1]
 - [Microsoft Intune for Education][INT-1]
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
index e374fd8f7d..94efd0d46b 100644
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -17,25 +17,25 @@ Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that
 
 DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
 
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
+:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
 
 ## Microsoft Surface Management Portal
 
-Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
+Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
 
 When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
 
 To access and use the Surface Management Portal:
 
-1. Sign in to <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
-1. Select **All services** > **Surface Management Portal**
-    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **All services** > **Surface Management Portal**
+    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
+3. To obtain insights for all your Surface devices, select **Monitor**
     - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
+4. To obtain details on each insights category, select **View report**
     - This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
+5. To obtain the device's warranty information, select **Device warranty and coverage**
+6. To review a list of support requests and their status, select **Support requests**
 
 <!-- Reference links in article -->
 
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
index d27616f71e..899b8298dd 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -30,7 +30,7 @@ For more information, see [Create your Office 365 tenant account][M365-1]
 
 The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
 
-From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
+From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others:
 
 :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
 
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
index f4d3b44e2e..8d1b84254e 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -7,9 +7,9 @@ ms.topic: tutorial
 
 # Set up Microsoft Intune
 
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
+Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
 
-Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
+The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
 
 :::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
 
@@ -44,13 +44,13 @@ With enrollment restrictions, you can prevent certain types of devices from bein
 
 To block personally owned Windows devices from enrolling:
 
-1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
 1. Select the **Windows restrictions** tab
 1. Select **Create restriction**
 1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
 1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
-    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
+    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
 1. Optionally, on the **Scope tags** page, add scope tags > **Next**
 1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
 1. On the **Review + create** page, select **Create** to save the restriction
@@ -63,13 +63,13 @@ Windows Hello for Business is a biometric authentication feature that allows use
 It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
 To disable Windows Hello for Business at the tenant level:
 
-1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
 1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
 1. Select **Save**
 
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png":::
+:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
 
 For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
 
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
index dd9817a5b9..a58a7f2d9a 100644
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services.
+description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Troubleshoot Windows devices
 
-Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
+Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
 Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
 
 - [Troubleshooting device enrollment in Intune][MEM-2]
@@ -27,11 +27,12 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
 
 Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
 
-Follow these steps to obtain support in Microsoft Endpoint Manager:
+Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
+:
 
-- Sign in to the <a href="https://endpoint.microsoft.com" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 - Select **Troubleshooting + support** > **Help and support**
-    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
+    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
 - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
 - Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
 - In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
@@ -43,7 +44,7 @@ Follow these steps to obtain support in Microsoft Endpoint Manager:
   > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
 - To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
 
-For more information, see [Microsoft Endpoint Manager support page][MEM-1]
+For more information, see [Microsoft Intune support page][MEM-1]
 
 <!-- Reference links in article -->
 [MEM-1]: /mem/get-support
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 05dbf61f4b..301a6d1da2 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -13,7 +13,7 @@ IT administrators and technical teachers can use the **Set up School PCs** app t
 Set up School PCs also:  
 * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.  
 * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.  
-* Utilizes Windows Update and maintenance hours to keeps student PCs up-to-date, without interfering with class time.
+* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
 * Locks down the student PC to prevent activity that isn't beneficial to their education.  
 
 This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).  
@@ -23,8 +23,6 @@ Before you begin, make sure that you, your computer, and your school's network a
 
 * Office 365 and Azure Active Directory
 * [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)  
-* Permission to buy apps in Microsoft Store for Education
-* Set up School PCs app has permission to access the Microsoft Store for Education
 * A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
 * Student PCs must either: 
     * Be within range of the Wi-Fi network that you configured in the app.
@@ -170,9 +168,9 @@ The following table describes each setting and lists the applicable Windows 10 v
 |---------|---------|---------|---------|---------|---------|---------|
 |Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
 |Allow local storage (not recommended for shared devices)    |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be shared between different students.|
-|Optimize device for a single student, instead of a shared cart or lab    |X|X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Optimize device for a single student, instead of a shared cart or lab    |X|X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
 |Let guests sign in to these PCs     |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
 |Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|   
 
 After you've made your selections, click **Next**.
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 9b877306f7..0ee49c8f45 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -94,6 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Class Policy`                            | 114.0.0           | Win32    | `Class Policy`                            |
 | `Classroom.cloud`                         | 1.40.0004         | Win32    | `NetSupport`                              |
 | `CoGat Secure Browser`                    | 11.0.0.19         | Win32    | `Riverside Insights`                      |
+| `ColorVeil`                               | 4.0.0.175         | Win32    | `East-Tec`                                | 
 | `ContentKeeper Cloud`                     | 9.01.45           | Win32    | `ContentKeeper Technologies`              |
 | `Dragon Professional Individual`          | 15.00.100         | Win32    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 12.0.0.0          | `Store`  | `Data recognition Corporation`            |
@@ -107,6 +108,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Ghotit Real Writer & Reader`             | 10.14.2.3         | Win32    | `Ghotit Ltd`                              |
 | `GoGuardian`                              | 1.4.4             | Win32    | `GoGuardian`                              |
 | `Google Chrome`                           | 109.0.5414.75     | Win32    | `Google`                                  |
+| `GuideConnect`                            | 1.23              | Win32    | `Dolphin Computer Access`                 |
 | `Illuminate Lockdown Browser`             | 2.0.5             | Win32    | `Illuminate Education`                    |
 | `Immunet`                                 | 7.5.8.21178       | Win32    | `Immunet`                                 |
 | `Impero Backdrop Client`                  | 4.4.86            | Win32    | `Impero Software`                         |
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 36e841ae91..b338b51a2f 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -53,7 +53,7 @@ The following settings can't be changed.
 | Allowed Account Types  | Microsoft accounts and Azure AD accounts are allowed. |
 | Virtual Desktops  | Virtual Desktops are blocked. |
 | Microsoft Store  | The Microsoft Store is blocked. |
-| Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
+| Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. |
 | Apps  | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).  |
 
 ## Next steps
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index d6bbee15ca..e4d5e9ef2e 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ ms.date: 07/21/2021
 # Acquire apps in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 4ea7713429..d2cf5a3906 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -19,7 +19,7 @@ ms.localizationpriority: medium
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
 
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 3555366945..926aa750f9 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. 
 
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index f59d3fa018..661d98861a 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education has thousands of apps from many different categories.
 
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index 7225de9903..c296c8f37d 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
 
diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md
index a258d9af7e..5205cbadba 100644
--- a/store-for-business/billing-payments-overview.md
+++ b/store-for-business/billing-payments-overview.md
@@ -17,7 +17,7 @@ manager: dansimp
 # Billing and payments
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Access invoices and managed your payment methods.
 
diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md
index 77f5fa0713..82581997ea 100644
--- a/store-for-business/billing-profile.md
+++ b/store-for-business/billing-profile.md
@@ -17,7 +17,7 @@ manager: dansimp
 # Understand billing profiles
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. 
 
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index d3b06dbe77..e500732cc9 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -16,7 +16,7 @@ manager: dansimp
 # Understand your Microsoft Customer Agreement invoice
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The invoice provides a summary of your charges and provides instructions for payment. It's available for
 download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 70adfcef94..190b9be3e6 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 
@@ -45,6 +45,6 @@ After your management tool is added to your Azure AD directory, you can configur
 
 Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
 - [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
-- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
 
 For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 2cc25547e0..b443e48e71 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
 
diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
index 39518d2c87..7f88c7212e 100644
--- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
 
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 8bde8ed28d..90e4939804 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index b1b43828f9..765f0b39ce 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 > 
 Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
 
@@ -45,7 +45,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y
 - **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages).
 
 - **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
-    - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+    - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
     - [Manage apps from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)<br>
 
 For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index 0a239cee50..ad4b5f621a 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
 
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index 5555b333e4..99a065dd84 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -1,3 +1,6 @@
+---
+ms.date: 10/31/2020
+---
 <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
 

 
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 82901c7ebe..369336371c 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -20,7 +20,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
 
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index 84c39959bb..2b8c3e26f4 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
 
diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
index 855e3839ed..706e1bc726 100644
--- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. 
 
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 4b6f8bd99e..dfc9b3d00d 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -16,7 +16,7 @@ manager: dansimp
 # Manage app orders in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
 
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index b7765c7ea3..218f2b5aac 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
 
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index 37505459c3..e3d9147262 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
 
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index de70959d59..36ec4938f9 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index a5149c0b1e..3318a1ca0c 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -19,7 +19,7 @@ manager: dansimp
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
 
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 6516ad323c..a7009160fa 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index 548f8ecce0..264f2228e9 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. 
 
diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md
index b0d445d780..b56a2ebe5e 100644
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@@ -17,7 +17,7 @@ manager: dansimp
 # Payment methods
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
 - VISA
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 59d4c2b19b..0dd6457beb 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 5d9ea05e6c..e1fd90b393 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
 # Microsoft Store for Business and Education release history
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
 
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 6b9ac86995..1ca0ec4692 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 > [!IMPORTANT]
 > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index 4a44723dd6..f29dace9ef 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -17,7 +17,7 @@ ms.date: 07/21/2021
 # Settings reference: Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 
 The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 32cdba4b8f..4c4e855373 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
 
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 074a34eb0f..f9154689ca 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 -   Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Troubleshooting topics for Microsoft Store for Business.
 
@@ -53,7 +53,7 @@ The private store for your organization is a page in Microsoft Store app that co
 
     ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png)
 
-## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
+## Troubleshooting Microsoft Store for Business integration with Microsoft Configuration Manager
 
 If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration).
 
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index b277705e60..78cd7532b8 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -17,7 +17,7 @@ manager: dansimp
 # Update Billing account settings
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 A billing account contains defining information about your organization. 
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index ee29b9c93f..bc329afe4d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -15,7 +15,7 @@ manager: dansimp
 # What's new in Microsoft Store for Business and Education
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Microsoft Store for Business and Education regularly releases new and improved features.  
 
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 92b489f6ab..0a71365353 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
 - Windows 10
 
 > [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 
 Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
 
diff --git a/template.md b/template.md
index 6049d2ff6d..c9529e25a3 100644
--- a/template.md
+++ b/template.md
@@ -290,4 +290,4 @@ Always include alt text for accessibility, and always end it with a period.
 ## docs.ms extensions
 
 > [!div class="nextstepaction"]
-> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
+> [Microsoft Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index e9d56cf86b..dff2c16732 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -63,7 +63,7 @@ To install the Company Portal app, you have some options:
 
 - **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
 
-  - In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
+  - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
 
   - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
 
@@ -80,17 +80,17 @@ To install the Company Portal app, you have some options:
 
 ## Customize the Company Portal app
 
-Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
+Many organizations customize the Company Portal app to include their specific information. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more.
 
 For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app).
 
 ## Add your organization apps to the Company Portal app
 
-When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
+When you add an app in the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting.
 
 On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal).
 
-When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see:
+When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Intune admin center, see:
 
 - [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365)
 - [Add web apps using Intune](/mem/intune/apps/web-app)
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index af610cec3c..cc058826be 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -11,12 +11,12 @@ ms.reviewer:
 manager: aaroncz
 ---
 
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center
 
 Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
 
-- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
-- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 If you use the Azure portal, then you can access Intune using the following steps:
 
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 04d9be81f2..56b72cdf0a 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -41,7 +41,7 @@ Config lock isn't enabled by default, or turned on by the OS during boot. Rather
 The steps to turn on config lock using Microsoft Intune are as follows:
 
 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
 1. Select the following and press **Create**:
     - **Platform**: Windows 10 and later
     - **Profile type**: Templates
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index a21b6f8223..f9a7b26caf 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,223 +1,936 @@
 ---
 title: AppLocker CSP
-description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
-ms.reviewer: 
+description: Learn more about the AppLocker CSP.
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 02/23/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 11/19/2019
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- AppLocker-Begin -->
 # AppLocker CSP
 
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+<!-- AppLocker-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
+<!-- AppLocker-Editable-End -->
 
+<!-- AppLocker-Tree-Begin -->
 The following example shows the AppLocker configuration service provider in tree format.
 
-```console
-./Vendor/MSFT
-AppLocker
-----ApplicationLaunchRestrictions
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-----------------NonInteractiveProcessEnforcement
-------------MSI
-----------------Policy
-----------------EnforcementMode
-------------Script
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
-------------DLL
-----------------Policy
-----------------EnforcementMode
-----------------NonInteractiveProcessEnforcement
-------------CodeIntegrity
-----------------Policy
-----EnterpriseDataProtection
---------Grouping
-------------EXE
-----------------Policy
-------------StoreApps
-----------------Policy
-----LaunchControl
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
-----FamilySafety
---------Grouping
-------------EXE
-----------------Policy
-----------------EnforcementMode
-------------StoreApps
-----------------Policy
-----------------EnforcementMode
+```text
+./Vendor/MSFT/AppLocker
+--- ApplicationLaunchRestrictions
+------ {Grouping}
+--------- CodeIntegrity
+------------ Policy
+--------- DLL
+------------ EnforcementMode
+------------ NonInteractiveProcessEnforcement
+------------ Policy
+--------- EXE
+------------ EnforcementMode
+------------ NonInteractiveProcessEnforcement
+------------ Policy
+--------- MSI
+------------ EnforcementMode
+------------ Policy
+--------- Script
+------------ EnforcementMode
+------------ Policy
+--------- StoreApps
+------------ EnforcementMode
+------------ Policy
+--- EnterpriseDataProtection
+------ {Grouping}
+--------- EXE
+------------ Policy
+--------- StoreApps
+------------ Policy
+--- FamilySafety
+------ {Grouping}
+--------- EXE
+------------ EnforcementMode
+------------ Policy
+--------- StoreApps
+------------ EnforcementMode
+------------ Policy
+--- LaunchControl
+------ {Grouping}
+--------- EXE
+------------ EnforcementMode
+------------ Policy
+--------- StoreApps
+------------ EnforcementMode
+------------ Policy
 ```
-<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker**
-Defines the root node for the AppLocker configuration service provider.
+<!-- AppLocker-Tree-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions"></a>**AppLocker/ApplicationLaunchRestrictions**
+<!-- Device-ApplicationLaunchRestrictions-Begin -->
+## ApplicationLaunchRestrictions
+
+<!-- Device-ApplicationLaunchRestrictions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions
+```
+<!-- Device-ApplicationLaunchRestrictions-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-Description-Begin -->
+<!-- Description-Source-DDF -->
 Defines restrictions for applications.
+<!-- Device-ApplicationLaunchRestrictions-Description-End -->
 
+<!-- Device-ApplicationLaunchRestrictions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
+> When you create a list of allowed apps, all [inbox apps](#inbox-apps-and-components) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
 >
 > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
 
 > [!NOTE]
-> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
+> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the `AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy` URI.
+<!-- Device-ApplicationLaunchRestrictions-Editable-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
-Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+<!-- Device-ApplicationLaunchRestrictions-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-ApplicationLaunchRestrictions-DFProperties-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE**
-Defines restrictions for launching executable applications.
+<!-- Device-ApplicationLaunchRestrictions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-Examples-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Begin -->
+### ApplicationLaunchRestrictions/{Grouping}
 
-Data type is string.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Applicability-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-OmaUri-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Description-End -->
 
-The data type is a string.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Editable-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-noninteractiveprocessenforcement"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/NonInteractiveProcessEnforcement**
-The data type is a string.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DFProperties-End -->
 
-Supported operations are Add, Delete, Get, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Examples-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI**
-Defines restrictions for executing Windows Installer files.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Applicability-End -->
 
-Data type is string.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-OmaUri-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Description-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Editable-End -->
 
-The data type is a string.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-DFProperties-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-script"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script**
-Defines restrictions for running scripts.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Examples-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-script-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy
 
-Data type is string.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Applicability-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-OmaUri-End -->
 
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-script-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps**
-Defines restrictions for running apps from the Microsoft Store.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL**
-Defines restrictions for processing DLL files.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-
-The data type is a string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-noninteractiveprocessenforcement"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/NonInteractiveProcessEnforcement**
-The data type is a string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-codeintegrity"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity**
-This node is only supported on the desktop.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-<a href="" id="applocker-applicationlaunchrestrictions-grouping-codeintegrity-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy**
-Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
-Data type is Base64.
-
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Description-End -->
 
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
+> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker CSP.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Editable-End -->
 
-<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
-Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-DFProperties-Begin -->
+**Description framework properties**:
 
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-CodeIntegrity-Policy-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/DLL
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines restrictions for processing DLL files.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-EnforcementMode-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-NonInteractiveProcessEnforcement-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/DLL/Policy
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-DLL-Policy-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/EXE
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines restrictions for launching executable applications.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-EnforcementMode-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-NonInteractiveProcessEnforcement-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/EXE/Policy
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-EXE-Policy-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/MSI
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines restrictions for executing Windows Installer files.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-EnforcementMode-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/MSI/Policy
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-MSI-Policy-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/Script
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines restrictions for running scripts.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-EnforcementMode-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/Script/Policy
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-Script-Policy-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Begin -->
+#### ApplicationLaunchRestrictions/{Grouping}/StoreApps
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines restrictions for running apps from the Microsoft Store.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-EnforcementMode-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Begin -->
+##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Applicability-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy
+```
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-OmaUri-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Description-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Editable-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-DFProperties-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-Examples-End -->
+
+<!-- Device-ApplicationLaunchRestrictions-{Grouping}-StoreApps-Policy-End -->
+
+<!-- Device-EnterpriseDataProtection-Begin -->
+## EnterpriseDataProtection
+
+<!-- Device-EnterpriseDataProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection
+```
+<!-- Device-EnterpriseDataProtection-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-Description-Begin -->
+<!-- Description-Source-DDF -->
+Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP.
+<!-- Device-EnterpriseDataProtection-Description-End -->
+
+<!-- Device-EnterpriseDataProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
 
 You can set the allowed list using the following URI:
@@ -238,52 +951,1316 @@ Exempt examples:
 Additional information:
 
 - [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+<!-- Device-EnterpriseDataProtection-Editable-End -->
 
-<a href="" id="applocker-enterprisedataprotection-grouping"></a>**AppLocker/EnterpriseDataProtection/_Grouping_**
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
-Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+<!-- Device-EnterpriseDataProtection-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-EnterpriseDataProtection-DFProperties-End -->
 
-<a href="" id="applocker-enterprisedataprotection-grouping-exe"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/EXE**
+<!-- Device-EnterpriseDataProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-Examples-End -->
+
+<!-- Device-EnterpriseDataProtection-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-Begin -->
+### EnterpriseDataProtection/{Grouping}
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-{Grouping}-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}
+```
+<!-- Device-EnterpriseDataProtection-{Grouping}-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
+<!-- Device-EnterpriseDataProtection-{Grouping}-Description-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-Editable-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-EnterpriseDataProtection-{Grouping}-DFProperties-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-Examples-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Begin -->
+#### EnterpriseDataProtection/{Grouping}/EXE
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE
+```
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Description-Begin -->
+<!-- Description-Source-DDF -->
 Defines restrictions for launching executable applications.
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Description-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Editable-End -->
 
-<a href="" id="applocker-enterprisedataprotection-grouping-exe-policy"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy**
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-DFProperties-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Examples-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Begin -->
+##### EnterpriseDataProtection/{Grouping}/EXE/Policy
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE/Policy
+```
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
 Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Description-End -->
 
-Data type is string.
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Editable-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="applocker-enterprisedataprotection-grouping-storeapps"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-DFProperties-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-Examples-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-EXE-Policy-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Begin -->
+#### EnterpriseDataProtection/{Grouping}/StoreApps
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps
+```
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Description-Begin -->
+<!-- Description-Source-DDF -->
 Defines restrictions for running apps from the Microsoft Store.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Description-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Editable-End -->
 
-<a href="" id="applocker-enterprisedataprotection-grouping-exe-storeapps"></a>**AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy**
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-DFProperties-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Examples-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Begin -->
+##### EnterpriseDataProtection/{Grouping}/StoreApps/Policy
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Applicability-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps/Policy
+```
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-OmaUri-End -->
+
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
 Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Description-End -->
 
-Data type is string.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Editable-End -->
 
-Supported operations are Get, Add, Delete, and Replace.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-DFProperties-Begin -->
+**Description framework properties**:
 
-1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
-2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-DFProperties-End -->
 
-    The **Device Portal** page opens on your browser.
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-Examples-End -->
 
-    ![device portal screenshot.](images/applocker-screenshot1.png)
+<!-- Device-EnterpriseDataProtection-{Grouping}-StoreApps-Policy-End -->
 
-3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
-4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
+<!-- Device-FamilySafety-Begin -->
+## FamilySafety
 
-    ![device portal app manager.](images/applocker-screenshot3.png)
+<!-- Device-FamilySafety-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-Applicability-End -->
 
-5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
+<!-- Device-FamilySafety-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety
+```
+<!-- Device-FamilySafety-OmaUri-End -->
 
-    ![app manager.](images/applocker-screenshot2.png)
+<!-- Device-FamilySafety-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-FamilySafety-Description-End -->
+
+<!-- Device-FamilySafety-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-Editable-End -->
+
+<!-- Device-FamilySafety-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-FamilySafety-DFProperties-End -->
+
+<!-- Device-FamilySafety-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-Examples-End -->
+
+<!-- Device-FamilySafety-End -->
+
+<!-- Device-FamilySafety-{Grouping}-Begin -->
+### FamilySafety/{Grouping}
+
+<!-- Device-FamilySafety-{Grouping}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}
+```
+<!-- Device-FamilySafety-{Grouping}-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-FamilySafety-{Grouping}-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-FamilySafety-{Grouping}-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Begin -->
+#### FamilySafety/{Grouping}/EXE
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-EXE-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE
+```
+<!-- Device-FamilySafety-{Grouping}-EXE-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-FamilySafety-{Grouping}-EXE-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FamilySafety-{Grouping}-EXE-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Begin -->
+##### FamilySafety/{Grouping}/EXE/EnforcementMode
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/EnforcementMode
+```
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-EnforcementMode-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Begin -->
+##### FamilySafety/{Grouping}/EXE/Policy
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/Policy
+```
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-EXE-Policy-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Begin -->
+#### FamilySafety/{Grouping}/StoreApps
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps
+```
+<!-- Device-FamilySafety-{Grouping}-StoreApps-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Begin -->
+##### FamilySafety/{Grouping}/StoreApps/EnforcementMode
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/EnforcementMode
+```
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-EnforcementMode-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Begin -->
+##### FamilySafety/{Grouping}/StoreApps/Policy
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Applicability-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/Policy
+```
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-OmaUri-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Description-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Editable-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-DFProperties-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-Examples-End -->
+
+<!-- Device-FamilySafety-{Grouping}-StoreApps-Policy-End -->
+
+<!-- Device-LaunchControl-Begin -->
+## LaunchControl
+
+<!-- Device-LaunchControl-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-Applicability-End -->
+
+<!-- Device-LaunchControl-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl
+```
+<!-- Device-LaunchControl-OmaUri-End -->
+
+<!-- Device-LaunchControl-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-LaunchControl-Description-End -->
+
+<!-- Device-LaunchControl-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-Editable-End -->
+
+<!-- Device-LaunchControl-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-LaunchControl-DFProperties-End -->
+
+<!-- Device-LaunchControl-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-Examples-End -->
+
+<!-- Device-LaunchControl-End -->
+
+<!-- Device-LaunchControl-{Grouping}-Begin -->
+### LaunchControl/{Grouping}
+
+<!-- Device-LaunchControl-{Grouping}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}
+```
+<!-- Device-LaunchControl-{Grouping}-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-LaunchControl-{Grouping}-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-LaunchControl-{Grouping}-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Begin -->
+#### LaunchControl/{Grouping}/EXE
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-EXE-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE
+```
+<!-- Device-LaunchControl-{Grouping}-EXE-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-LaunchControl-{Grouping}-EXE-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-LaunchControl-{Grouping}-EXE-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Begin -->
+##### LaunchControl/{Grouping}/EXE/EnforcementMode
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/EnforcementMode
+```
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-EnforcementMode-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Begin -->
+##### LaunchControl/{Grouping}/EXE/Policy
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/Policy
+```
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-EXE-Policy-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Begin -->
+#### LaunchControl/{Grouping}/StoreApps
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps
+```
+<!-- Device-LaunchControl-{Grouping}-StoreApps-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Begin -->
+##### LaunchControl/{Grouping}/StoreApps/EnforcementMode
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/EnforcementMode
+```
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Description-Begin -->
+<!-- Description-Source-DDF -->
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-EnforcementMode-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Begin -->
+##### LaunchControl/{Grouping}/StoreApps/Policy
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Applicability-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/Policy
+```
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-OmaUri-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Description-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Editable-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get, Replace |
+| Reboot Behavior | Automatic |
+| Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) |
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-DFProperties-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-Examples-End -->
+
+<!-- Device-LaunchControl-{Grouping}-StoreApps-Policy-End -->
+
+<!-- AppLocker-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+## Policy XSD Schema
+
+```xml
+<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
+  <!-- -->
+  <!-- AppLockerPolicy-Type -->
+  <!-- -->
+  <xs:element name="AppLockerPolicy" type="PolicyType">
+    <xs:unique name="UniqueRuleCollectionTypeConstraint">
+      <xs:selector xpath="RuleCollection" />
+      <xs:field xpath="@Type" />
+    </xs:unique>
+    <xs:unique name="UniqueRuleIdConstraint">
+      <xs:selector xpath="RuleCollection/*" />
+      <xs:field xpath="@Id" />
+    </xs:unique>
+  </xs:element>
+  <!-- -->
+  <!-- Policy-Type -->
+  <!-- -->
+  <xs:complexType name="PolicyType">
+    <xs:sequence>
+      <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded">
+      </xs:element>
+      <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1">
+      </xs:element>
+    </xs:sequence>
+    <xs:attribute name="Version" type="PolicyVersionType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- PolicyVersion-Type -->
+  <!-- -->
+  <xs:simpleType name="PolicyVersionType">
+    <xs:restriction base="xs:decimal">
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- RuleCollection-Type -->
+  <!-- -->
+  <xs:complexType name="RuleCollectionType">
+    <xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded">
+        </xs:element>
+        <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded">
+        </xs:element>
+        <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded">
+        </xs:element>
+      </xs:choice>
+      <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1">
+      </xs:element>
+    </xs:sequence>
+    <xs:attribute name="Type" type="xs:string" use="required" />
+    <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional" />
+  </xs:complexType>
+  <!-- -->
+  <!-- PolicyExtensions-Type -->
+  <!-- -->
+  <xs:complexType name="PolicyExtensionsType">
+    <xs:sequence>
+      <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" />
+      <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- RuleCollectionExtensions-Type -->
+  <!-- -->
+  <xs:complexType name="RuleCollectionExtensionsType">
+    <xs:sequence>
+      <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1">
+        <!-- -->
+        <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. -->
+        <!-- -->
+      </xs:element>
+      <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" />
+      <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- EnforcementMode-Type -->
+  <!-- -->
+  <xs:simpleType name="EnforcementModeType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="NotConfigured" />
+      <xs:enumeration value="Enabled" />
+      <xs:enumeration value="AuditOnly" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- FilePublisherRule-Type -->
+  <!-- -->
+  <xs:complexType name="FilePublisherRuleType">
+    <xs:all>
+      <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" />
+      <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" />
+    </xs:all>
+    <xs:attributeGroup ref="RuleAttributes" />
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePathRule-Type -->
+  <!-- -->
+  <xs:complexType name="FilePathRuleType">
+    <xs:all>
+      <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" />
+      <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" />
+    </xs:all>
+    <xs:attributeGroup ref="RuleAttributes" />
+  </xs:complexType>
+  <!-- -->
+  <!-- FileHashRule-Type -->
+  <!-- -->
+  <xs:complexType name="FileHashRuleType">
+    <xs:all>
+      <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" />
+    </xs:all>
+    <xs:attributeGroup ref="RuleAttributes" />
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePublisherRuleConditions-Type -->
+  <!-- -->
+  <xs:complexType name="FilePublisherRuleConditionsType">
+    <xs:sequence>
+      <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePublisherRuleExceptions-Type -->
+  <!-- -->
+  <xs:complexType name="FilePublisherRuleExceptionsType">
+    <xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded" />
+      </xs:choice>
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePathRuleConditions-Type -->
+  <!-- -->
+  <xs:complexType name="FilePathRuleConditionsType">
+    <xs:sequence>
+      <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePathRuleExceptions-Type -->
+  <!-- -->
+  <xs:complexType name="FilePathRuleExceptionsType">
+    <xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded" />
+        <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded" />
+      </xs:choice>
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- FileHashRuleConditions-Type -->
+  <!-- -->
+  <xs:complexType name="FileHashRuleConditionsType">
+    <xs:sequence>
+      <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- Rule-Attributes -->
+  <!-- -->
+  <xs:attributeGroup name="RuleAttributes">
+    <xs:attribute name="Id" type="GuidType" use="required" />
+    <xs:attribute name="Name" type="RuleNameType" use="required" />
+    <xs:attribute name="Description" type="RuleDescriptionType" use="required" />
+    <xs:attribute name="UserOrGroupSid" type="SidType" use="required" />
+    <xs:attribute name="Action" type="RuleActionType" use="required" />
+  </xs:attributeGroup>
+  <!-- -->
+  <!-- RuleName-Type -->
+  <!-- -->
+  <xs:simpleType name="RuleNameType">
+    <xs:restriction base="xs:string">
+      <xs:minLength value="1" />
+      <xs:maxLength value="1024" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- RuleDescription-Type -->
+  <!-- -->
+  <xs:simpleType name="RuleDescriptionType">
+    <xs:restriction base="xs:string">
+      <xs:minLength value="0" />
+      <xs:maxLength value="1024" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- RuleAction-Type -->
+  <!-- -->
+  <xs:simpleType name="RuleActionType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="Allow" />
+      <xs:enumeration value="Deny" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- FilePublisherCondition-Type -->
+  <!-- -->
+  <xs:complexType name="FilePublisherConditionType">
+    <xs:all>
+      <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" />
+    </xs:all>
+    <xs:attribute name="PublisherName" type="PublisherNameType" use="required" />
+    <xs:attribute name="ProductName" type="ProductNameType" use="required" />
+    <xs:attribute name="BinaryName" type="BinaryNameType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- PublisherName-Type -->
+  <!-- -->
+  <xs:simpleType name="PublisherNameType">
+    <xs:restriction base="xs:string">
+      <xs:minLength value="1" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- ProductName-Type -->
+  <!-- -->
+  <xs:simpleType name="ProductNameType">
+    <xs:restriction base="xs:string">
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- BinaryName-Type -->
+  <!-- -->
+  <xs:simpleType name="BinaryNameType">
+    <xs:restriction base="xs:string">
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- FileVersionRange-Type -->
+  <!-- -->
+  <xs:complexType name="FileVersionRangeType">
+    <xs:attribute name="LowSection" type="FileVersionType" use="required" />
+    <xs:attribute name="HighSection" type="FileVersionType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- FileVersion-Type -->
+  <!-- -->
+  <xs:simpleType name="FileVersionType">
+    <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType" />
+  </xs:simpleType>
+  <!-- -->
+  <!-- SpecificFileVersion-Type -->
+  <!-- -->
+  <xs:simpleType name="SpecificFileVersionType">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- AnyFileVersion-Type -->
+  <!-- -->
+  <xs:simpleType name="AnyFileVersionType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="*" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- FilePathCondition-Type -->
+  <!-- -->
+  <xs:complexType name="FilePathConditionType">
+    <xs:attribute name="Path" type="FilePathType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- FilePath-Type -->
+  <!-- -->
+  <xs:simpleType name="FilePathType">
+    <xs:restriction base="xs:string">
+      <xs:minLength value="1" />
+      <xs:maxLength value="32767" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- FileHashCondition-Type -->
+  <!-- -->
+  <xs:complexType name="FileHashConditionType">
+    <xs:sequence>
+      <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- FileHash-Type -->
+  <!-- -->
+  <xs:complexType name="FileHashType">
+    <xs:attribute name="Type" type="HashType" use="required" />
+    <xs:attribute name="Data" type="HashDataType" use="required" />
+    <xs:attribute name="SourceFileName" type="xs:string" use="optional" />
+    <xs:attribute name="SourceFileLength" type="xs:integer" use="optional" />
+  </xs:complexType>
+  <!-- -->
+  <!-- Hash-Type -->
+  <!-- -->
+  <xs:simpleType name="HashType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="SHA256" />
+      <xs:enumeration value="SHA256Flat" />
+      <xs:enumeration value="SHA1" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- HashData-Type -->
+  <!-- -->
+  <xs:simpleType name="HashDataType">
+    <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType" />
+  </xs:simpleType>
+  <xs:simpleType name="SHA256HashDataType">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="0x([0-9A-Fa-f]{64})" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="SHA256FlatHashDataType">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="0x([0-9A-Fa-f]{64})" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:simpleType name="SHA1HashDataType">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="0x([0-9A-Fa-f]{40})" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- ServicesEnforcementMode-Type -->
+  <!-- -->
+  <xs:simpleType name="ServicesEnforcementModeType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="NotConfigured" />
+      <xs:enumeration value="Enabled" />
+      <xs:enumeration value="ServicesOnly" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- Services-Type -->
+  <!-- -->
+  <xs:complexType name="ServicesType">
+    <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- ThresholdCollectionExtensions-Type -->
+  <!-- -->
+  <xs:complexType name="ThresholdCollectionExtensionsType">
+    <xs:sequence>
+      <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- AllowSystemApps-Type -->
+  <!-- -->
+  <xs:simpleType name="AllowSystemAppsType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="Enabled" />
+      <xs:enumeration value="NotEnabled" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- SystemApps-Type -->
+  <!-- -->
+  <xs:complexType name="SystemAppsType">
+    <xs:attribute name="Allow" type="AllowSystemAppsType" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- OriginDataRevocation-Type -->
+  <!-- -->
+  <xs:complexType name="OriginDataRevocationType">
+    <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required" />
+    <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required" />
+  </xs:complexType>
+  <!-- -->
+  <!-- RedstoneCollectionExtensions-Type -->
+  <!-- -->
+  <xs:complexType name="RedstoneCollectionExtensionsType">
+    <xs:sequence>
+      <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" />
+      <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <!-- -->
+  <!-- ThresholdPolicyExtensions-Type -->
+  <!-- -->
+  <xs:complexType name="ThresholdPolicyExtensionsType">
+    <xs:sequence>
+      <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" />
+    </xs:sequence>
+  </xs:complexType>
+  <xs:complexType name="PluginsType">
+    <xs:sequence>
+      <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <xs:complexType name="PluginType">
+    <xs:sequence>
+      <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" />
+    </xs:sequence>
+    <xs:attribute name="Name" type="xs:string" />
+    <xs:attribute name="Id" type="GuidType" />
+  </xs:complexType>
+  <xs:complexType name="ExecutionCategoriesType">
+    <xs:sequence>
+      <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <xs:complexType name="ExecutionCategoryType">
+    <xs:sequence>
+      <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" />
+    </xs:sequence>
+    <xs:attribute name="Id" type="GuidType" />
+    <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" />
+  </xs:complexType>
+  <xs:simpleType name="AttributeListType">
+    <xs:list itemType="AttributeEnumType" />
+  </xs:simpleType>
+  <xs:simpleType name="AttributeEnumType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="Hash" />
+      <xs:enumeration value="Path" />
+      <xs:enumeration value="Publisher" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:complexType name="PluginPoliciesType">
+    <xs:sequence>
+      <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" />
+    </xs:sequence>
+  </xs:complexType>
+  <xs:complexType name="PluginPolicyType">
+    <xs:attribute name="Id" type="GuidType" />
+  </xs:complexType>
+  <!-- -->
+  <!-- Generic Types... -->
+  <!-- -->
+  <!-- -->
+  <!-- Boolean-Type -->
+  <!-- -->
+  <xs:simpleType name="BooleanType">
+    <xs:restriction base="xs:string">
+      <xs:enumeration value="True" />
+      <xs:enumeration value="False" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- Guid-Type -->
+  <!-- -->
+  <xs:simpleType name="GuidType">
+    <xs:restriction base="xs:string">
+      <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}" />
+    </xs:restriction>
+  </xs:simpleType>
+  <!-- -->
+  <!-- Sid-Type -->
+  <!-- -->
+  <xs:simpleType name="SidType">
+    <xs:restriction base="xs:string">
+      <xs:minLength value="7" />
+      <xs:pattern value="S-1(-[0-9a-fA-F]+)+" />
+    </xs:restriction>
+  </xs:simpleType>
+</xs:schema>
+```
+
+## File Publisher Rules
 
 The following table shows the mapping of information to the AppLocker publisher rule field.
 
@@ -301,50 +2278,9 @@ Here's an example AppLocker publisher rule:
 </FilePublisherCondition>
 ```
 
-You can get the publisher name and product name of apps using a web API.
-
-**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
-
-1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
-
-3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
-
-Request URI:
-
-```http
-https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
-```
-
-Here's the example for Microsoft OneNote:
-
-Request
-
-```http
-https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata
-```
-
-Result
-
-```json
-{
-  "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
-  "packageIdentityName": "Microsoft.Office.OneNote",
-  "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-  "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
-}
-```
-
-|Result data|AppLocker publisher rule field|
-|--- |--- |
-|packageIdentityName|ProductName|
-|publisherCertificateName|Publisher|
-|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there's a XAP package associated with the app in the Store. <br> <br>If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
-
-
-## <a href="" id="settingssplashapps"></a>Settings apps that rely on splash apps
+You can get the publisher name and product name of apps using either `Get-AppxPackage` PowerShell cmdlet or [Windows Device Portal](/windows/uwp/debug-test-perf/device-portal-desktop).
 
+## Settings apps that rely on splash apps
 
 These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
 
@@ -368,8 +2304,7 @@ The product name is first part of the PackageFullName followed by the version nu
 | SettingsPageAppsCorner             | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a |
 | SettingsPagePhoneNfc               | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
 
-
-## <a href="" id="inboxappsandcomponents"></a>Inbox apps and components
+## Inbox apps and components
 
 The following list shows the apps that may be included in the inbox.
 
@@ -467,7 +2402,7 @@ The following list shows the apps that may be included in the inbox.
 |Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp|
 |Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider|
 
-## <a href="" id="allow-list-examples"></a>Allowlist examples
+## Allowlist examples
 
 The following example disables the calendar application.
 
@@ -1028,7 +2963,8 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
 ```
 
 ## Example for Windows 10 Holographic for Business
-The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings.
+
+The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inbox-apps-and-components) to enable a working device, and Settings.
 
 ```xml
 <RuleCollection Type="Appx" EnforcementMode="Enabled">
@@ -1464,7 +3400,10 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
   </SyncBody>
 </SyncML>
 ```
+<!-- AppLocker-CspMoreInfo-End -->
 
-## Related topics
+<!-- AppLocker-End -->
 
-[Configuration service provider reference](index.yml)
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index d0e4446e1c..af3f58ccbe 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,673 +1,1149 @@
 ---
 title: AppLocker DDF file
-description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
-ms.reviewer: 
+description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 02/23/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
 # AppLocker DDF file
 
-This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
+The following XML file contains the device description framework (DDF) for the AppLocker configuration service provider.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-    "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-    [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
-    <VerDTD>1.2</VerDTD>
+  <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>AppLocker</NodeName>
+    <Path>./Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <Description>Root node for the AppLocker configuration service provider</Description>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
     <Node>
-        <NodeName>AppLocker</NodeName>
-        <Path>./Vendor/MSFT</Path>
+      <NodeName>ApplicationLaunchRestrictions</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Defines restrictions for applications.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+        <CaseSense>
+          <CIS />
+        </CaseSense>
+      </DFProperties>
+      <Node>
+        <NodeName>
+        </NodeName>
         <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <DFFormat>
-                <node />
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <DDFName></DDFName>
-            </DFType>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Grouping</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ServerGeneratedUniqueIdentifier />
+          </MSFT:DynamicNodeNaming>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
         </DFProperties>
         <Node>
-            <NodeName>ApplicationLaunchRestrictions</NodeName>
+          <NodeName>EXE</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for launching executable applications.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
             <DFProperties>
-                <AccessType>
-                    <Get />
-                </AccessType>
-                <DFFormat>
-                    <node />
-                </DFFormat>
-                <Occurrence>
-                    <One />
-                </Occurrence>
-                <Scope>
-                    <Permanent />
-                </Scope>
-                <CaseSense>
-                    <CIS />
-                </CaseSense>
-                <DFType>
-                    <DDFName></DDFName>
-                </DFType>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
             </DFProperties>
-            <Node>
-                <NodeName></NodeName>
-                <DFProperties>
-                    <AccessType>
-                        <Add />
-                        <Delete />
-                        <Get />
-                        <Replace />
-                    </AccessType>
-                    <DFFormat>
-                        <node />
-                    </DFFormat>
-                    <Occurrence>
-                        <ZeroOrMore />
-                    </Occurrence>
-                    <Scope>
-                        <Dynamic />
-                    </Scope>
-                    <DFTitle>Grouping</DFTitle>
-                    <DFType>
-                        <DDFName></DDFName>
-                    </DFType>
-                </DFProperties>
-                <Node>
-                    <NodeName>EXE</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>EnforcementMode</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>NonInteractiveProcessEnforcement</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>MSI</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>EnforcementMode</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>Script</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>EnforcementMode</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>StoreApps</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>EnforcementMode</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>DLL</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>EnforcementMode</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                    <Node>
-                        <NodeName>NonInteractiveProcessEnforcement</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <One />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>CodeIntegrity</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <b64 />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-            </Node>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>NonInteractiveProcessEnforcement</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Insert Description Here</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
         </Node>
         <Node>
-            <NodeName>EnterpriseDataProtection</NodeName>
+          <NodeName>MSI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for executing Windows Installer files.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
             <DFProperties>
-                <AccessType>
-                    <Get />
-                </AccessType>
-                <DFFormat>
-                    <node />
-                </DFFormat>
-                <Occurrence>
-                    <One />
-                </Occurrence>
-                <Scope>
-                    <Permanent />
-                </Scope>
-                <DFType>
-                    <DDFName></DDFName>
-                </DFType>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
             </DFProperties>
-            <Node>
-                <NodeName></NodeName>
-                <DFProperties>
-                    <AccessType>
-                        <Add />
-                        <Delete />
-                        <Get />
-                        <Replace />
-                    </AccessType>
-                    <DFFormat>
-                        <node />
-                    </DFFormat>
-                    <Occurrence>
-                        <ZeroOrMore />
-                    </Occurrence>
-                    <Scope>
-                        <Dynamic />
-                    </Scope>
-                    <DFTitle>Grouping</DFTitle>
-                    <DFType>
-                        <DDFName></DDFName>
-                    </DFType>
-                </DFProperties>
-                <Node>
-                    <NodeName>EXE</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-                <Node>
-                    <NodeName>StoreApps</NodeName>
-                    <DFProperties>
-                        <AccessType>
-                            <Add />
-                            <Delete />
-                            <Get />
-                            <Replace />
-                        </AccessType>
-                        <DFFormat>
-                            <node />
-                        </DFFormat>
-                        <Occurrence>
-                            <ZeroOrOne />
-                        </Occurrence>
-                        <Scope>
-                            <Dynamic />
-                        </Scope>
-                        <DFType>
-                            <DDFName></DDFName>
-                        </DFType>
-                    </DFProperties>
-                    <Node>
-                        <NodeName>Policy</NodeName>
-                        <DFProperties>
-                            <AccessType>
-                                <Add />
-                                <Delete />
-                                <Get />
-                                <Replace />
-                            </AccessType>
-                            <DFFormat>
-                                <chr />
-                            </DFFormat>
-                            <Occurrence>
-                                <ZeroOrOne />
-                            </Occurrence>
-                            <Scope>
-                                <Dynamic />
-                            </Scope>
-                            <DFType>
-                                <MIME>text/plain</MIME>
-                            </DFType>
-                        </DFProperties>
-                    </Node>
-                </Node>
-            </Node>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
         </Node>
+        <Node>
+          <NodeName>Script</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for running scripts.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>StoreApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for running apps from the Microsoft Store.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>DLL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for processing DLL files.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>NonInteractiveProcessEnforcement</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Insert Description Here</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>CodeIntegrity</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Insert Description Here</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.  This will need to be Base64 encoded.</Description>
+              <DFFormat>
+                <b64 />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="None">
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
     </Node>
+    <Node>
+      <NodeName>EnterpriseDataProtection</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>
+        </NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Grouping</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ServerGeneratedUniqueIdentifier />
+          </MSFT:DynamicNodeNaming>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+        <Node>
+          <NodeName>EXE</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for launching executable applications.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>StoreApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Defines restrictions for running apps from the Microsoft Store.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>LaunchControl</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Insert Description Here</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>
+        </NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Insert Description Here</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Grouping</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ServerGeneratedUniqueIdentifier />
+          </MSFT:DynamicNodeNaming>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+        <Node>
+          <NodeName>EXE</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Insert Description Here</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>StoreApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Insert Description Here</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>FamilySafety</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>Insert Description Here</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>
+        </NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Insert Description Here</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Grouping</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ServerGeneratedUniqueIdentifier />
+          </MSFT:DynamicNodeNaming>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+        <Node>
+          <NodeName>EXE</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Insert Description Here</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>StoreApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Insert Description Here</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Policy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:AllowedValues ValueType="XSD">
+                <MSFT:Value><![CDATA[<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  <!-- --> <!-- AppLockerPolicy-Type --> <!-- --> <xs:element name="AppLockerPolicy" type="PolicyType"> <xs:unique name="UniqueRuleCollectionTypeConstraint"> <xs:selector xpath="RuleCollection"/> <xs:field xpath="@Type"/> </xs:unique> <xs:unique name="UniqueRuleIdConstraint"> <xs:selector xpath="RuleCollection/*"/> <xs:field xpath="@Id"/> </xs:unique> </xs:element>  <!-- --> <!-- Policy-Type --> <!-- --> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element name="RuleCollection" type="RuleCollectionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="PolicyExtensions" type="PolicyExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Version" type="PolicyVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- PolicyVersion-Type --> <!-- --> <xs:simpleType name="PolicyVersionType"> <xs:restriction base="xs:decimal"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleCollection-Type --> <!-- --> <xs:complexType name="RuleCollectionType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherRule" type="FilePublisherRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FilePathRule" type="FilePathRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> <xs:element name="FileHashRule" type="FileHashRuleType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:choice> <xs:element name="RuleCollectionExtensions" type="RuleCollectionExtensionsType" minOccurs="0" maxOccurs="1"> </xs:element> </xs:sequence> <xs:attribute name="Type" type="xs:string" use="required"/> <xs:attribute name="EnforcementMode" type="EnforcementModeType" use="optional"/> </xs:complexType>  <!-- --> <!-- PolicyExtensions-Type --> <!-- --> <xs:complexType name="PolicyExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdPolicyExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- RuleCollectionExtensions-Type --> <!-- --> <xs:complexType name="RuleCollectionExtensionsType"> <xs:sequence> <xs:element name="ThresholdExtensions" type="ThresholdCollectionExtensionsType" minOccurs="1" maxOccurs="1"> <!-- --> <!-- Because of the way schema validation works, ThresholdExtensions must be present if RuleCollectionExtensions is present. Otherwise it could be ambiguous whether a ThresholdExtensions element matched the explicit element, or the xs:any element. As new extensions are invented in subsequent releases, they can follow the same model. --> <!-- --> </xs:element> <xs:element name="RedstoneExtensions" type="RedstoneCollectionExtensionsType" minOccurs="1" maxOccurs="1" /> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- EnforcementMode-Type --> <!-- --> <xs:simpleType name="EnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="AuditOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherRule-Type --> <!-- --> <xs:complexType name="FilePublisherRuleType"> <xs:all> <xs:element name="Conditions" type="FilePublisherRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePublisherRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePathRule-Type --> <!-- --> <xs:complexType name="FilePathRuleType"> <xs:all> <xs:element name="Conditions" type="FilePathRuleConditionsType" minOccurs="1" maxOccurs="1" /> <xs:element name="Exceptions" type="FilePathRuleExceptionsType" minOccurs="0" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FileHashRule-Type --> <!-- --> <xs:complexType name="FileHashRuleType"> <xs:all> <xs:element name="Conditions" type="FileHashRuleConditionsType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attributeGroup ref="RuleAttributes"/> </xs:complexType>  <!-- --> <!-- FilePublisherRuleConditions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleConditionsType"> <xs:sequence> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePublisherRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePublisherRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleConditions-Type --> <!-- --> <xs:complexType name="FilePathRuleConditionsType"> <xs:sequence> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FilePathRuleExceptions-Type --> <!-- --> <xs:complexType name="FilePathRuleExceptionsType"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="FilePathCondition" type="FilePathConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FilePublisherCondition" type="FilePublisherConditionType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHashRuleConditions-Type --> <!-- --> <xs:complexType name="FileHashRuleConditionsType"> <xs:sequence> <xs:element name="FileHashCondition" type="FileHashConditionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- Rule-Attributes --> <!-- --> <xs:attributeGroup name="RuleAttributes"> <xs:attribute name="Id" type="GuidType" use="required"/> <xs:attribute name="Name" type="RuleNameType" use="required"/> <xs:attribute name="Description" type="RuleDescriptionType" use="required"/> <xs:attribute name="UserOrGroupSid" type="SidType" use="required"/> <xs:attribute name="Action" type="RuleActionType" use="required"/> </xs:attributeGroup>  <!-- --> <!-- RuleName-Type --> <!-- --> <xs:simpleType name="RuleNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleDescription-Type --> <!-- --> <xs:simpleType name="RuleDescriptionType"> <xs:restriction base="xs:string"> <xs:minLength value="0"/> <xs:maxLength value="1024"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- RuleAction-Type --> <!-- --> <xs:simpleType name="RuleActionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Allow"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePublisherCondition-Type --> <!-- --> <xs:complexType name="FilePublisherConditionType"> <xs:all> <xs:element name="BinaryVersionRange" type="FileVersionRangeType" minOccurs="1" maxOccurs="1" /> </xs:all> <xs:attribute name="PublisherName" type="PublisherNameType" use="required"/> <xs:attribute name="ProductName" type="ProductNameType" use="required"/> <xs:attribute name="BinaryName" type="BinaryNameType" use="required"/> </xs:complexType>  <!-- --> <!-- PublisherName-Type --> <!-- --> <xs:simpleType name="PublisherNameType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ProductName-Type --> <!-- --> <xs:simpleType name="ProductNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- BinaryName-Type --> <!-- --> <xs:simpleType name="BinaryNameType"> <xs:restriction base="xs:string"> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileVersionRange-Type --> <!-- --> <xs:complexType name="FileVersionRangeType"> <xs:attribute name="LowSection" type="FileVersionType" use="required"/> <xs:attribute name="HighSection" type="FileVersionType" use="required"/> </xs:complexType>  <!-- --> <!-- FileVersion-Type --> <!-- --> <xs:simpleType name="FileVersionType"> <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/> </xs:simpleType>  <!-- --> <!-- SpecificFileVersion-Type --> <!-- --> <xs:simpleType name="SpecificFileVersionType"> <xs:restriction base="xs:string"> <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- AnyFileVersion-Type --> <!-- --> <xs:simpleType name="AnyFileVersionType"> <xs:restriction base="xs:string"> <xs:enumeration value="*"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FilePathCondition-Type --> <!-- --> <xs:complexType name="FilePathConditionType"> <xs:attribute name="Path" type="FilePathType" use="required"/> </xs:complexType>  <!-- --> <!-- FilePath-Type --> <!-- --> <xs:simpleType name="FilePathType"> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="32767"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- FileHashCondition-Type --> <!-- --> <xs:complexType name="FileHashConditionType"> <xs:sequence> <xs:element name="FileHash" type="FileHashType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType>  <!-- --> <!-- FileHash-Type --> <!-- --> <xs:complexType name="FileHashType"> <xs:attribute name="Type" type="HashType" use="required"/> <xs:attribute name="Data" type="HashDataType" use="required"/> <xs:attribute name="SourceFileName" type="xs:string" use="optional"/> <xs:attribute name="SourceFileLength" type="xs:integer" use="optional"/> </xs:complexType>  <!-- --> <!-- Hash-Type --> <!-- --> <xs:simpleType name="HashType"> <xs:restriction base="xs:string"> <xs:enumeration value="SHA256"/> <xs:enumeration value="SHA256Flat"/> <xs:enumeration value="SHA1"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- HashData-Type --> <!-- --> <xs:simpleType name="HashDataType"> <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/> </xs:simpleType>  <xs:simpleType name="SHA256HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA256FlatHashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{64})"/> </xs:restriction> </xs:simpleType>  <xs:simpleType name="SHA1HashDataType"> <xs:restriction base="xs:string"> <xs:pattern value="0x([0-9A-Fa-f]{40})"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- ServicesEnforcementMode-Type --> <!-- --> <xs:simpleType name="ServicesEnforcementModeType"> <xs:restriction base="xs:string"> <xs:enumeration value="NotConfigured"/> <xs:enumeration value="Enabled"/> <xs:enumeration value="ServicesOnly"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Services-Type --> <!-- --> <xs:complexType name="ServicesType"> <xs:attribute name="EnforcementMode" type="ServicesEnforcementModeType" use="required"/> </xs:complexType>  <!-- --> <!-- ThresholdCollectionExtensions-Type --> <!-- --> <xs:complexType name="ThresholdCollectionExtensionsType"> <xs:sequence> <xs:element name="Services" type="ServicesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- AllowSystemApps-Type --> <!-- --> <xs:simpleType name="AllowSystemAppsType"> <xs:restriction base="xs:string"> <xs:enumeration value="Enabled" /> <xs:enumeration value="NotEnabled" /> </xs:restriction> </xs:simpleType>  <!-- --> <!-- SystemApps-Type --> <!-- --> <xs:complexType name="SystemAppsType"> <xs:attribute name="Allow" type="AllowSystemAppsType" use="required"/> </xs:complexType>  <!-- --> <!-- OriginDataRevocation-Type --> <!-- --> <xs:complexType name="OriginDataRevocationType"> <xs:attribute name="CurrentOriginDataId" type="xs:unsignedInt" use="required"/> <xs:attribute name="TrustedOriginDataId" type="xs:unsignedInt" use="required"/> </xs:complexType>  <!-- --> <!-- RedstoneCollectionExtensions-Type --> <!-- --> <xs:complexType name="RedstoneCollectionExtensionsType"> <xs:sequence> <xs:element name="SystemApps" type="SystemAppsType" minOccurs="0" maxOccurs="1" /> <xs:element name="OriginDataRevocation" type="OriginDataRevocationType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <!-- --> <!-- ThresholdPolicyExtensions-Type --> <!-- --> <xs:complexType name="ThresholdPolicyExtensionsType"> <xs:sequence> <xs:element name="Plugins" type="PluginsType" minOccurs="0" maxOccurs="1" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginsType"> <xs:sequence> <xs:element name="Plugin" type="PluginType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginType"> <xs:sequence> <xs:element name="ExecutionCategories" type="ExecutionCategoriesType" minOccurs="1" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Name" type="xs:string" /> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <xs:complexType name="ExecutionCategoriesType"> <xs:sequence> <xs:element name="ExecutionCategory" type="ExecutionCategoryType" minOccurs="1" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="ExecutionCategoryType"> <xs:sequence> <xs:element name="Policies" type="PluginPoliciesType" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="Id" type="GuidType" /> <xs:attribute name="AppidTypes" type="AttributeListType" use="optional" /> </xs:complexType>  <xs:simpleType name="AttributeListType"> <xs:list itemType="AttributeEnumType" /> </xs:simpleType>  <xs:simpleType name="AttributeEnumType"> <xs:restriction base="xs:string"> <xs:enumeration value="Hash" /> <xs:enumeration value="Path" /> <xs:enumeration value="Publisher" /> </xs:restriction> </xs:simpleType>  <xs:complexType name="PluginPoliciesType"> <xs:sequence> <xs:element name="Policy" type="PluginPolicyType" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType>  <xs:complexType name="PluginPolicyType"> <xs:attribute name="Id" type="GuidType" /> </xs:complexType>  <!-- --> <!-- Generic Types... --> <!-- -->  <!-- --> <!-- Boolean-Type --> <!-- --> <xs:simpleType name="BooleanType"> <xs:restriction base="xs:string"> <xs:enumeration value="True"/> <xs:enumeration value="False"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Guid-Type --> <!-- --> <xs:simpleType name="GuidType"> <xs:restriction base="xs:string"> <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/> </xs:restriction> </xs:simpleType>  <!-- --> <!-- Sid-Type --> <!-- --> <xs:simpleType name="SidType"> <xs:restriction base="xs:string"> <xs:minLength value="7"/> <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/> </xs:restriction> </xs:simpleType>  </xs:schema> ]]></MSFT:Value>
+              </MSFT:AllowedValues>
+              <MSFT:RebootBehavior>Automatic</MSFT:RebootBehavior>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>EnforcementMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+  </Node>
 </MgmtTree>
 ```
 
-## Related topics
+## Related articles
 
-[AppLocker configuration service provider](applocker-csp.md)
\ No newline at end of file
+[AppLocker configuration service provider reference](applocker-csp.md)
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
deleted file mode 100644
index 9daa087800..0000000000
--- a/windows/client-management/mdm/applocker-xsd.md
+++ /dev/null
@@ -1,1292 +0,0 @@
----
-title: AppLocker XSD
-description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
----
-
-# AppLocker XSD
-
-Here's the XSD for the AppLocker CSP.
-
-```xml
-<?xml version="1.0"?>
-
-<xs:schema attributeFormDefault="unqualified"
-
-           elementFormDefault="qualified"
-
-           xmlns:xs="http://www.w3.org/2001/XMLSchema"
-
-           version="1.0">
-
-
-
-  <!-- -->
-
-  <!-- AppLockerPolicy-Type -->
-
-  <!-- -->
-
-  <xs:element name="AppLockerPolicy"
-
-              type="PolicyType">
-
-    <xs:unique name="UniqueRuleCollectionTypeConstraint">
-
-      <xs:selector xpath="RuleCollection"/>
-
-      <xs:field xpath="@Type"/>
-
-    </xs:unique>
-
-    <xs:unique name="UniqueRuleIdConstraint">
-
-      <xs:selector xpath="RuleCollection/*"/>
-
-      <xs:field xpath="@Id"/>
-
-    </xs:unique>
-
-  </xs:element>
-
-
-
-  <!-- -->
-
-  <!-- Policy-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="PolicyType">
-
-    <xs:sequence>
-
-      <xs:element name="RuleCollection"
-
-                  type="RuleCollectionType"
-
-                  minOccurs="0"
-
-                  maxOccurs="unbounded">
-
-      </xs:element>
-
-      <xs:element name="PolicyExtensions"
-
-                  type="PolicyExtensionsType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1">
-
-      </xs:element>
-
-    </xs:sequence>
-
-    <xs:attribute name="Version"
-
-                  type="PolicyVersionType"
-
-                  use="required"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- PolicyVersion-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="PolicyVersionType">
-
-    <xs:restriction base="xs:decimal">
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- RuleCollection-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="RuleCollectionType">
-
-    <xs:sequence>
-
-      <xs:choice minOccurs="0"
-
-                 maxOccurs="unbounded">
-
-        <xs:element name="FilePublisherRule"
-
-                    type="FilePublisherRuleType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded">
-
-        </xs:element>
-
-        <xs:element name="FilePathRule"
-
-                    type="FilePathRuleType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded">
-
-        </xs:element>
-
-        <xs:element name="FileHashRule"
-
-                    type="FileHashRuleType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded">
-
-        </xs:element>
-
-      </xs:choice>
-
-      <xs:element name="RuleCollectionExtensions"
-
-                  type="RuleCollectionExtensionsType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1">
-
-      </xs:element>
-
-    </xs:sequence>
-
-    <xs:attribute name="Type"
-
-                  type="xs:string"
-
-                  use="required"/>
-
-    <xs:attribute name="EnforcementMode"
-
-                  type="EnforcementModeType"
-
-                  use="optional"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- PolicyExtensions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="PolicyExtensionsType">
-
-    <xs:sequence>
-
-      <xs:element name="ThresholdExtensions"
-
-                  type="ThresholdPolicyExtensionsType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-      <xs:any processContents="lax"
-
-              minOccurs="0"
-
-              maxOccurs="unbounded" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- RuleCollectionExtensions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="RuleCollectionExtensionsType">
-
-    <xs:sequence>
-
-      <xs:element name="ThresholdExtensions"
-
-                  type="ThresholdCollectionExtensionsType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1">
-
-        <!-- -->
-
-        <!-- Because of the way schema validation works, ThresholdExtensions
-
-             must be present if RuleCollectionExtensions is present. Otherwise
-
-             it could be ambiguous whether a ThresholdExtensions element
-
-             matched the explicit element, or the xs:any element. As new
-
-             extensions are invented in subsequent releases, they can follow
-
-             the same model. -->
-
-        <!-- -->
-
-      </xs:element>
-
-      <xs:any processContents="lax"
-
-              minOccurs="0"
-
-              maxOccurs="unbounded" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- EnforcementMode-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="EnforcementModeType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="NotConfigured"/>
-
-      <xs:enumeration value="Enabled"/>
-
-      <xs:enumeration value="AuditOnly"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- FilePublisherRule-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePublisherRuleType">
-
-    <xs:all>
-
-      <xs:element name="Conditions"
-
-                  type="FilePublisherRuleConditionsType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-      <xs:element name="Exceptions"
-
-                  type="FilePublisherRuleExceptionsType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1" />
-
-    </xs:all>
-
-    <xs:attributeGroup ref="RuleAttributes"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePathRule-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePathRuleType">
-
-    <xs:all>
-
-      <xs:element name="Conditions"
-
-                  type="FilePathRuleConditionsType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-      <xs:element name="Exceptions"
-
-                  type="FilePathRuleExceptionsType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1" />
-
-    </xs:all>
-
-    <xs:attributeGroup ref="RuleAttributes"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FileHashRule-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FileHashRuleType">
-
-    <xs:all>
-
-      <xs:element name="Conditions"
-
-                  type="FileHashRuleConditionsType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-    </xs:all>
-
-    <xs:attributeGroup ref="RuleAttributes"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePublisherRuleConditions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePublisherRuleConditionsType">
-
-    <xs:sequence>
-
-      <xs:element name="FilePublisherCondition"
-
-                  type="FilePublisherConditionType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1"/>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePublisherRuleExceptions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePublisherRuleExceptionsType">
-
-    <xs:sequence>
-
-      <xs:choice minOccurs="0"
-
-                 maxOccurs="unbounded">
-
-        <xs:element name="FilePublisherCondition"
-
-                    type="FilePublisherConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-        <xs:element name="FilePathCondition"
-
-                    type="FilePathConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-        <xs:element name="FileHashCondition"
-
-                    type="FileHashConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-      </xs:choice>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePathRuleConditions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePathRuleConditionsType">
-
-    <xs:sequence>
-
-      <xs:element name="FilePathCondition"
-
-                  type="FilePathConditionType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1"/>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePathRuleExceptions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePathRuleExceptionsType">
-
-    <xs:sequence>
-
-      <xs:choice minOccurs="0"
-
-                 maxOccurs="unbounded">
-
-        <xs:element name="FilePathCondition"
-
-                    type="FilePathConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-        <xs:element name="FilePublisherCondition"
-
-                    type="FilePublisherConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-        <xs:element name="FileHashCondition"
-
-                    type="FileHashConditionType"
-
-                    minOccurs="0"
-
-                    maxOccurs="unbounded"/>
-
-      </xs:choice>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FileHashRuleConditions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FileHashRuleConditionsType">
-
-    <xs:sequence>
-
-      <xs:element name="FileHashCondition"
-
-                  type="FileHashConditionType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1"/>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- Rule-Attributes -->
-
-  <!-- -->
-
-  <xs:attributeGroup name="RuleAttributes">
-
-    <xs:attribute name="Id"
-
-                  type="GuidType"
-
-                  use="required"/>
-
-    <xs:attribute name="Name"
-
-                  type="RuleNameType"
-
-                  use="required"/>
-
-    <xs:attribute name="Description"
-
-                  type="RuleDescriptionType"
-
-                  use="required"/>
-
-    <xs:attribute name="UserOrGroupSid"
-
-                  type="SidType"
-
-                  use="required"/>
-
-    <xs:attribute name="Action"
-
-                  type="RuleActionType"
-
-                  use="required"/>
-
-  </xs:attributeGroup>
-
-
-
-  <!-- -->
-
-  <!-- RuleName-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="RuleNameType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:minLength value="1"/>
-
-      <xs:maxLength value="1024"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- RuleDescription-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="RuleDescriptionType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:minLength value="0"/>
-
-      <xs:maxLength value="1024"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- RuleAction-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="RuleActionType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="Allow"/>
-
-      <xs:enumeration value="Deny"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- FilePublisherCondition-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePublisherConditionType">
-
-    <xs:all>
-
-      <xs:element name="BinaryVersionRange"
-
-                  type="FileVersionRangeType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-    </xs:all>
-
-    <xs:attribute name="PublisherName"
-
-                  type="PublisherNameType"
-
-                  use="required"/>
-
-    <xs:attribute name="ProductName"
-
-                  type="ProductNameType"
-
-                  use="required"/>
-
-    <xs:attribute name="BinaryName"
-
-                  type="BinaryNameType"
-
-                  use="required"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- PublisherName-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="PublisherNameType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:minLength value="1"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- ProductName-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="ProductNameType">
-
-    <xs:restriction base="xs:string">
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- BinaryName-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="BinaryNameType">
-
-    <xs:restriction base="xs:string">
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- FileVersionRange-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FileVersionRangeType">
-
-    <xs:attribute name="LowSection"
-
-                  type="FileVersionType"
-
-                  use="required"/>
-
-    <xs:attribute name="HighSection"
-
-                  type="FileVersionType"
-
-                  use="required"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FileVersion-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="FileVersionType">
-
-    <xs:union memberTypes="SpecificFileVersionType AnyFileVersionType"/>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- SpecificFileVersion-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="SpecificFileVersionType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:pattern value="([0-9]{1,5}.){3}[0-9]{1,5}"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- AnyFileVersion-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="AnyFileVersionType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="*"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- FilePathCondition-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FilePathConditionType">
-
-    <xs:attribute name="Path"
-
-                  type="FilePathType"
-
-                  use="required"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FilePath-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="FilePathType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:minLength value="1"/>
-
-      <xs:maxLength value="32767"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- FileHashCondition-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FileHashConditionType">
-
-    <xs:sequence>
-
-      <xs:element name="FileHash"
-
-                  type="FileHashType"
-
-                  minOccurs="1"
-
-                  maxOccurs="unbounded"/>
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- FileHash-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="FileHashType">
-
-    <xs:attribute name="Type"
-
-                  type="HashType"
-
-                  use="required"/>
-
-    <xs:attribute name="Data"
-
-                  type="HashDataType"
-
-                  use="required"/>
-
-    <xs:attribute name="SourceFileName"
-
-                  type="xs:string"
-
-                  use="optional"/>
-
-    <xs:attribute name="SourceFileLength"
-
-                  type="xs:integer"
-
-                  use="optional"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- Hash-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="HashType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="SHA256"/>
-
-      <xs:enumeration value="SHA256Flat"/>
-
-      <xs:enumeration value="SHA1"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- HashData-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="HashDataType">
-
-    <xs:union memberTypes="SHA256HashDataType SHA256FlatHashDataType SHA1HashDataType"/>
-
-  </xs:simpleType>
-
-
-
-  <xs:simpleType name="SHA256HashDataType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:pattern value="0x([0-9A-Fa-f]{64})"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <xs:simpleType name="SHA256FlatHashDataType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:pattern value="0x([0-9A-Fa-f]{64})"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <xs:simpleType name="SHA1HashDataType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:pattern value="0x([0-9A-Fa-f]{40})"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- ServicesEnforcementMode-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="ServicesEnforcementModeType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="NotConfigured"/>
-
-      <xs:enumeration value="Enabled"/>
-
-      <xs:enumeration value="ServicesOnly"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- Services-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="ServicesType">
-
-    <xs:attribute name="EnforcementMode"
-
-                  type="ServicesEnforcementModeType"
-
-                  use="required"/>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- ThresholdCollectionExtensions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="ThresholdCollectionExtensionsType">
-
-    <xs:sequence>
-
-      <xs:element name="Services"
-
-                  type="ServicesType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- ThresholdPolicyExtensions-Type -->
-
-  <!-- -->
-
-  <xs:complexType name="ThresholdPolicyExtensionsType">
-
-    <xs:sequence>
-
-      <xs:element name="Plugins"
-
-                  type="PluginsType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <xs:complexType name="PluginsType">
-
-    <xs:sequence>
-
-      <xs:element name="Plugin"
-
-                  type="PluginType"
-
-                  minOccurs="0"
-
-                  maxOccurs="unbounded" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <xs:complexType name="PluginType">
-
-    <xs:sequence>
-
-      <xs:element name="ExecutionCategories"
-
-                  type="ExecutionCategoriesType"
-
-                  minOccurs="1"
-
-                  maxOccurs="1" />
-
-    </xs:sequence>
-
-    <xs:attribute name="Name" type="xs:string" />
-
-    <xs:attribute name="Id" type="GuidType" />
-
-   </xs:complexType>
-
-
-
-  <xs:complexType name="ExecutionCategoriesType">
-
-    <xs:sequence>
-
-      <xs:element name="ExecutionCategory"
-
-                  type="ExecutionCategoryType"
-
-                  minOccurs="1"
-
-                  maxOccurs="unbounded" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <xs:complexType name="ExecutionCategoryType">
-
-    <xs:sequence>
-
-      <xs:element name="Policies"
-
-                  type="PluginPoliciesType"
-
-                  minOccurs="0"
-
-                  maxOccurs="1" />
-
-    </xs:sequence>
-
-    <xs:attribute name="Id"
-
-                  type="GuidType" />
-
-    <xs:attribute name="AppidTypes"
-
-                  type="AttributeListType"
-
-                  use="optional" />
-
-  </xs:complexType>
-
-
-
-  <xs:simpleType name="AttributeListType">
-
-    <xs:list itemType="AttributeEnumType" />
-
-  </xs:simpleType>
-
-
-
-  <xs:simpleType name="AttributeEnumType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="Hash" />
-
-      <xs:enumeration value="Path" />
-
-      <xs:enumeration value="Publisher" />
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <xs:complexType name="PluginPoliciesType">
-
-    <xs:sequence>
-
-      <xs:element name="Policy"
-
-                  type="PluginPolicyType"
-
-                  minOccurs="0"
-
-                  maxOccurs="unbounded" />
-
-    </xs:sequence>
-
-  </xs:complexType>
-
-
-
-  <xs:complexType name="PluginPolicyType">
-
-    <xs:attribute name="Id"
-
-                  type="GuidType" />
-
-  </xs:complexType>
-
-
-
-  <!-- -->
-
-  <!-- Generic Types... -->
-
-  <!-- -->
-
-
-
-  <!-- -->
-
-  <!-- Boolean-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="BooleanType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:enumeration value="True"/>
-
-      <xs:enumeration value="False"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- Guid-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="GuidType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:pattern value="[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-  <!-- -->
-
-  <!-- Sid-Type -->
-
-  <!-- -->
-
-  <xs:simpleType name="SidType">
-
-    <xs:restriction base="xs:string">
-
-      <xs:minLength value="7"/>
-
-      <xs:pattern value="S-1(-[0-9a-fA-F]+)+"/>
-
-    </xs:restriction>
-
-  </xs:simpleType>
-
-
-
-</xs:schema>
-```
-
- 
-
- 
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 7974e3a245..c8a2402878 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,89 +1,1085 @@
 ---
 title: BitLocker CSP
-description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
+description: Learn more about the BitLocker CSP.
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 02/22/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 02/04/2022
-ms.reviewer: 
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- BitLocker-Begin -->
 # BitLocker CSP
 
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- BitLocker-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
 
 > [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
 >
-> You must send all the settings together in a single SyncML to be effective.
+> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
+> - You must send all the settings together in a single SyncML to be effective.
 
 A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
 
 For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+<!-- BitLocker-Editable-End -->
 
+<!-- BitLocker-Tree-Begin -->
 The following example shows the BitLocker configuration service provider in tree format.
 
-```console
-./Device/Vendor/MSFT
-BitLocker
-----RequireStorageCardEncryption
-----RequireDeviceEncryption
-----EncryptionMethodByDriveType
-----IdentificationField
-----SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
-----SystemDrivesEnhancedPIN
-----SystemDrivesDisallowStandardUsersCanChangePIN
-----SystemDrivesEnablePrebootInputProtectorsOnSlates
-----SystemDrivesEncryptionType
-----SystemDrivesRequireStartupAuthentication
-----SystemDrivesMinimumPINLength
-----SystemDrivesRecoveryMessage
-----SystemDrivesRecoveryOptions
-----FixedDrivesRecoveryOptions
-----FixedDrivesRequireEncryption
-----FixedDrivesEncryptionType
-----RemovableDrivesRequireEncryption
-----RemovableDrivesEncryptionType
-----RemovableDrivesConfigureBDE
-----AllowWarningForOtherDiskEncryption
-----AllowStandardUserEncryption
-----ConfigureRecoveryPasswordRotation
-----RotateRecoveryPasswords
-----Status
---------DeviceEncryptionStatus
---------RotateRecoveryPasswordsStatus
---------RotateRecoveryPasswordsRequestID
+```text
+./Device/Vendor/MSFT/BitLocker
+--- AllowStandardUserEncryption
+--- AllowWarningForOtherDiskEncryption
+--- ConfigureRecoveryPasswordRotation
+--- EncryptionMethodByDriveType
+--- FixedDrivesEncryptionType
+--- FixedDrivesRecoveryOptions
+--- FixedDrivesRequireEncryption
+--- IdentificationField
+--- RemovableDrivesConfigureBDE
+--- RemovableDrivesEncryptionType
+--- RemovableDrivesExcludedFromEncryption
+--- RemovableDrivesRequireEncryption
+--- RequireDeviceEncryption
+--- RequireStorageCardEncryption
+--- RotateRecoveryPasswords
+--- Status
+------ DeviceEncryptionStatus
+------ RemovableDrivesEncryptionStatus
+------ RotateRecoveryPasswordsRequestID
+------ RotateRecoveryPasswordsStatus
+--- SystemDrivesDisallowStandardUsersCanChangePIN
+--- SystemDrivesEnablePrebootInputProtectorsOnSlates
+--- SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+--- SystemDrivesEncryptionType
+--- SystemDrivesEnhancedPIN
+--- SystemDrivesMinimumPINLength
+--- SystemDrivesRecoveryMessage
+--- SystemDrivesRecoveryOptions
+--- SystemDrivesRequireStartupAuthentication
+```
+<!-- BitLocker-Tree-End -->
+
+<!-- Device-AllowStandardUserEncryption-Begin -->
+## AllowStandardUserEncryption
+
+<!-- Device-AllowStandardUserEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-AllowStandardUserEncryption-Applicability-End -->
+
+<!-- Device-AllowStandardUserEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
+```
+<!-- Device-AllowStandardUserEncryption-OmaUri-End -->
+
+<!-- Device-AllowStandardUserEncryption-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
+"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced.
+If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
+is the current logged on user in the system.
+
+The expected values for this policy are:
+
+1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
+0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
+will not try to enable encryption on any drive.
+
+
+<!-- Device-AllowStandardUserEncryption-Description-End -->
+
+<!-- Device-AllowStandardUserEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-AllowStandardUserEncryption-Editable-End -->
+
+<!-- Device-AllowStandardUserEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+| Dependency [AllowWarningForOtherDiskEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption` <br> Dependency Allowed Value: `[0]` <br> Dependency Allowed Value Type: `Range` <br>  |
+<!-- Device-AllowStandardUserEncryption-DFProperties-End -->
+
+<!-- Device-AllowStandardUserEncryption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. |
+| 1 | "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. |
+<!-- Device-AllowStandardUserEncryption-AllowedValues-End -->
+
+<!-- Device-AllowStandardUserEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+<Replace>
+ <CmdID>111</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">int</Format>
+     </Meta>
+     <Data>0</Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-AllowStandardUserEncryption-Examples-End -->
+
+<!-- Device-AllowStandardUserEncryption-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Begin -->
+## AllowWarningForOtherDiskEncryption
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-AllowWarningForOtherDiskEncryption-Applicability-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
+```
+<!-- Device-AllowWarningForOtherDiskEncryption-OmaUri-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
+and turn on encryption on the user machines silently.
+
+> [!WARNING]
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will
+require reinstallation of Windows.
+
+> [!NOTE]
+> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
+
+The expected values for this policy are
+
+1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
+the value 0 only takes affect on Azure Active Directory joined devices.
+Windows will attempt to silently enable BitLocker for value 0.
+
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+> The endpoint for a fixed data drive's backup is chosen in the following order:
+>
+> 1. The user's Windows Server Active Directory Domain Services account.
+> 2. The user's Azure Active Directory account.
+> 3. The user's personal OneDrive (MDM/MAM only).
+>
+> Encryption will wait until one of these three locations backs up successfully.
+<!-- Device-AllowWarningForOtherDiskEncryption-Editable-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-AllowWarningForOtherDiskEncryption-DFProperties-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 1 (Default) | Warning prompt allowed. |
+<!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+```xml
+<Replace>
+    <CmdID>110</CmdID>
+    <Item>
+        <Target>
+            <LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
+        </Target>
+        <Meta>
+            <Format xmlns="syncml:metinf">int</Format>
+        <Data>0</Data>
+    </Item>
+</Replace>
+```
+<!-- Device-AllowWarningForOtherDiskEncryption-Examples-End -->
+
+<!-- Device-AllowWarningForOtherDiskEncryption-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Begin -->
+## ConfigureRecoveryPasswordRotation
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-ConfigureRecoveryPasswordRotation-Applicability-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
+```
+<!-- Device-ConfigureRecoveryPasswordRotation-OmaUri-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
+Active Directory back up for recovery password is configured to required.
+For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
+For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
+
+Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
+1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
+
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigureRecoveryPasswordRotation-Editable-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-ConfigureRecoveryPasswordRotation-DFProperties-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Refresh off (default). |
+| 1 | Refresh on for Azure AD-joined devices. |
+| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
+<!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigureRecoveryPasswordRotation-Examples-End -->
+
+<!-- Device-ConfigureRecoveryPasswordRotation-End -->
+
+<!-- Device-EncryptionMethodByDriveType-Begin -->
+## EncryptionMethodByDriveType
+
+<!-- Device-EncryptionMethodByDriveType-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-EncryptionMethodByDriveType-Applicability-End -->
+
+<!-- Device-EncryptionMethodByDriveType-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
+```
+<!-- Device-EncryptionMethodByDriveType-OmaUri-End -->
+
+<!-- Device-EncryptionMethodByDriveType-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
+
+- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
+
+- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script."
+<!-- Device-EncryptionMethodByDriveType-Description-End -->
+
+<!-- Device-EncryptionMethodByDriveType-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encryption method for the OS and removable drives, you will get a 500 return status.
+
+Data ID elements:
+
+- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
+- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
+- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
+
+Sample value for this node to enable this policy and set the encryption methods is:
+
+```xml
+ <enabled/>
+<data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/>
+<data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/>
+<data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
 ```
 
+ The possible values for 'xx' are:
+
+- 3 = AES-CBC 128
+- 4 = AES-CBC 256
+- 6 = XTS-AES 128
+- 7 = XTS-AES 256
+<!-- Device-EncryptionMethodByDriveType-Editable-End -->
+
+<!-- Device-EncryptionMethodByDriveType-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-EncryptionMethodByDriveType-DFProperties-End -->
+
+<!-- Device-EncryptionMethodByDriveType-AdmxBacked-Begin -->
 > [!TIP]
-> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
-<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
-Defines the root node for the BitLocker configuration service provider.
-<!--Policy-->
+**ADMX mapping**:
 
-<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
-<!--Description-->
-Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption.
-<!--/Description-->
-<!--SupportedSKUs-->
+| Name | Value |
+|:--|:--|
+| Name | EncryptionMethodWithXts_Name |
+| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-EncryptionMethodByDriveType-AdmxBacked-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- Device-EncryptionMethodByDriveType-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
 
-<!--/SupportedSKUs-->
-Data type is integer. Sample value for this node to enable this policy: 1.
-Supported operations are Add, Get, Replace, and Delete.
+To disable this policy, use the following SyncML:
+
+```xml
+<Replace>
+  <CmdID>$CmdID$</CmdID>
+    <Item>
+      <Target>
+          <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
+      </Target>
+      <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+      </Meta>
+      <Data><disabled/></Data>
+    </Item>
+</Replace>
+```
+<!-- Device-EncryptionMethodByDriveType-Examples-End -->
+
+<!-- Device-EncryptionMethodByDriveType-End -->
+
+<!-- Device-FixedDrivesEncryptionType-Begin -->
+## FixedDrivesEncryptionType
+
+<!-- Device-FixedDrivesEncryptionType-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-FixedDrivesEncryptionType-Applicability-End -->
+
+<!-- Device-FixedDrivesEncryptionType-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesEncryptionType
+```
+<!-- Device-FixedDrivesEncryptionType-OmaUri-End -->
+
+<!-- Device-FixedDrivesEncryptionType-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+<!-- Device-FixedDrivesEncryptionType-Description-End -->
+
+<!-- Device-FixedDrivesEncryptionType-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/><data id="FDVEncryptionTypeDropDown_Name" value="1"/>
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+
+> [!NOTE]
+> This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>
+> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde).
+<!-- Device-FixedDrivesEncryptionType-Editable-End -->
+
+<!-- Device-FixedDrivesEncryptionType-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FixedDrivesEncryptionType-DFProperties-End -->
+
+<!-- Device-FixedDrivesEncryptionType-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on fixed data drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | FDVEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-FixedDrivesEncryptionType-AdmxBacked-End -->
+
+<!-- Device-FixedDrivesEncryptionType-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-FixedDrivesEncryptionType-Examples-End -->
+
+<!-- Device-FixedDrivesEncryptionType-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-Begin -->
+## FixedDrivesRecoveryOptions
+
+<!-- Device-FixedDrivesRecoveryOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-FixedDrivesRecoveryOptions-Applicability-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions
+```
+<!-- Device-FixedDrivesRecoveryOptions-OmaUri-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
+
+The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+
+In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+
+In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
+
+Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+> [!NOTE]
+> If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.
+
+- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
+
+- If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+<!-- Device-FixedDrivesRecoveryOptions-Description-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- FDVAllowDRA_Name: Allow data recovery agent
+- FDVRecoveryPasswordUsageDropDown_Name and FDVRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information
+- FDVHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard
+- FDVActiveDirectoryBackup_Name: Save BitLocker recovery information to Active Directory Domain Services
+- FDVActiveDirectoryBackupDropDown_Name: Configure storage of BitLocker recovery information to AD DS
+- FDVRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="FDVAllowDRA_Name" value="xx"/>
+<data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/>
+<data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/>
+<data id="FDVHideRecoveryPage_Name" value="xx"/>
+<data id="FDVActiveDirectoryBackup_Name" value="xx"/>
+<data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/>
+<data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 0 = Disallowed
+- 1 = Required
+- 2 = Allowed
+
+The possible values for 'zz' are:
+
+- 1 = Store recovery passwords and key packages
+- 2 = Store recovery passwords only
+<!-- Device-FixedDrivesRecoveryOptions-Editable-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FixedDrivesRecoveryOptions-DFProperties-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVRecoveryUsage_Name |
+| Friendly Name | Choose how BitLocker-protected fixed drives can be recovered |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | FDVRecovery |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-FixedDrivesRecoveryOptions-AdmxBacked-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+ <Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-FixedDrivesRecoveryOptions-Examples-End -->
+
+<!-- Device-FixedDrivesRecoveryOptions-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-Begin -->
+## FixedDrivesRequireEncryption
+
+<!-- Device-FixedDrivesRequireEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-FixedDrivesRequireEncryption-Applicability-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption
+```
+<!-- Device-FixedDrivesRequireEncryption-OmaUri-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
+
+- If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+
+- If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
+<!-- Device-FixedDrivesRequireEncryption-Description-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is: `<enabled/>`
+<!-- Device-FixedDrivesRequireEncryption-Editable-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-FixedDrivesRequireEncryption-DFProperties-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | FDVDenyWriteAccess_Name |
+| Friendly Name | Deny write access to fixed drives not protected by BitLocker |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives |
+| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
+| Registry Value Name | FDVDenyWriteAccess |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-FixedDrivesRequireEncryption-AdmxBacked-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use hte following SyncML:
+
+```xml
+<Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-FixedDrivesRequireEncryption-Examples-End -->
+
+<!-- Device-FixedDrivesRequireEncryption-End -->
+
+<!-- Device-IdentificationField-Begin -->
+## IdentificationField
+
+<!-- Device-IdentificationField-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-IdentificationField-Applicability-End -->
+
+<!-- Device-IdentificationField-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/IdentificationField
+```
+<!-- Device-IdentificationField-OmaUri-End -->
+
+<!-- Device-IdentificationField-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
+
+The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
+
+You can configure the identification fields on existing drives by using [manage-bde](/windows-server/administration/windows-commands/manage-bde).exe.
+
+- If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.
+
+When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.
+
+- If you disable or do not configure this policy setting, the identification field is not required.
+
+> [!NOTE]
+> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
+<!-- Device-IdentificationField-Description-End -->
+
+<!-- Device-IdentificationField-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- IdentificationField: This is a BitLocker identification field.
+- SecIdentificationField: This is an allowed BitLocker identification field.
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="IdentificationField" value="BitLocker-ID1"/>
+<data id="SecIdentificationField" value="Allowed-BitLocker-ID2"/>
+```
+<!-- Device-IdentificationField-Editable-End -->
+
+<!-- Device-IdentificationField-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-IdentificationField-DFProperties-End -->
+
+<!-- Device-IdentificationField-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IdentificationField_Name |
+| Friendly Name | Provide the unique identifiers for your organization |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | IdentificationField |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-IdentificationField-AdmxBacked-End -->
+
+<!-- Device-IdentificationField-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-IdentificationField-Examples-End -->
+
+<!-- Device-IdentificationField-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-Begin -->
+## RemovableDrivesConfigureBDE
+
+<!-- Device-RemovableDrivesConfigureBDE-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-RemovableDrivesConfigureBDE-Applicability-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesConfigureBDE
+```
+<!-- Device-RemovableDrivesConfigureBDE-OmaUri-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.
+
+When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment).
+
+- If you do not configure this policy setting, users can use BitLocker on removable disk drives.
+
+- If you disable this policy setting, users cannot use BitLocker on removable disk drives.
+<!-- Device-RemovableDrivesConfigureBDE-Description-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives.
+- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives.
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="RDVAllowBDE_Name" value="true"/>
+<data id="RDVDisableBDE_Name" value="true"/>
+```
+<!-- Device-RemovableDrivesConfigureBDE-Editable-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-RemovableDrivesConfigureBDE-DFProperties-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVConfigureBDE |
+| Friendly Name | Control use of BitLocker on removable drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | RDVConfigureBDE |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-RemovableDrivesConfigureBDE-AdmxBacked-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RemovableDrivesConfigureBDE-Examples-End -->
+
+<!-- Device-RemovableDrivesConfigureBDE-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-Begin -->
+## RemovableDrivesEncryptionType
+
+<!-- Device-RemovableDrivesEncryptionType-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-RemovableDrivesEncryptionType-Applicability-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesEncryptionType
+```
+<!-- Device-RemovableDrivesEncryptionType-OmaUri-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+<!-- Device-RemovableDrivesEncryptionType-Description-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/><data id="RDVEncryptionTypeDropDown_Name" value="2"/>
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+<!-- Device-RemovableDrivesEncryptionType-Editable-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [BDEAllowed] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE` <br> Dependency Allowed Value Type: `ADMX` <br>  |
+<!-- Device-RemovableDrivesEncryptionType-DFProperties-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on removable data drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | RDVEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-RemovableDrivesEncryptionType-AdmxBacked-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RemovableDrivesEncryptionType-Examples-End -->
+
+<!-- Device-RemovableDrivesEncryptionType-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-Begin -->
+## RemovableDrivesExcludedFromEncryption
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-RemovableDrivesExcludedFromEncryption-Applicability-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption
+```
+<!-- Device-RemovableDrivesExcludedFromEncryption-OmaUri-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-Description-Begin -->
+<!-- Description-Source-DDF -->
+When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.
+<!-- Device-RemovableDrivesExcludedFromEncryption-Description-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-RemovableDrivesExcludedFromEncryption-Editable-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+<!-- Device-RemovableDrivesExcludedFromEncryption-DFProperties-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RemovableDrivesExcludedFromEncryption-Examples-End -->
+
+<!-- Device-RemovableDrivesExcludedFromEncryption-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-Begin -->
+## RemovableDrivesRequireEncryption
+
+<!-- Device-RemovableDrivesRequireEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-RemovableDrivesRequireEncryption-Applicability-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
+```
+<!-- Device-RemovableDrivesRequireEncryption-OmaUri-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
+
+- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+
+If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
+
+- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+
+> [!NOTE]
+> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
+<!-- Device-RemovableDrivesRequireEncryption-Description-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- RDVCrossOrg: Deny write access to devices configured in another organization
+
+Sample value for this node to enable this policy is:
+
+```xml
+ <enabled/><data id="RDVCrossOrg" value="xx"/>
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+<!-- Device-RemovableDrivesRequireEncryption-Editable-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-RemovableDrivesRequireEncryption-DFProperties-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RDVDenyWriteAccess_Name |
+| Friendly Name | Deny write access to removable drives not protected by BitLocker |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
+| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
+| Registry Value Name | RDVDenyWriteAccess |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-RemovableDrivesRequireEncryption-AdmxBacked-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+ <Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-RemovableDrivesRequireEncryption-Examples-End -->
+
+<!-- Device-RemovableDrivesRequireEncryption-End -->
+
+<!-- Device-RequireDeviceEncryption-Begin -->
+## RequireDeviceEncryption
+
+<!-- Device-RequireDeviceEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-RequireDeviceEncryption-Applicability-End -->
+
+<!-- Device-RequireDeviceEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
+```
+<!-- Device-RequireDeviceEncryption-OmaUri-End -->
+
+<!-- Device-RequireDeviceEncryption-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
+
+Sample value for this node to enable this policy:
+1
+
+Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
+
+<!-- Device-RequireDeviceEncryption-Description-End -->
+
+<!-- Device-RequireDeviceEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
 
 The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
 
@@ -95,13 +1091,32 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
 - It must not be a system partition.
 - It must not be backed by virtual storage.
 - It must not have a reference in the BCD store.
-<!--SupportedValues-->
-The following list shows the supported values:
+<!-- Device-RequireDeviceEncryption-Editable-End -->
 
-- 0 (default): Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes.
-- 1: Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
-<!--/SupportedValues-->
-If you want to disable this policy, use the following SyncML:
+<!-- Device-RequireDeviceEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-RequireDeviceEncryption-DFProperties-End -->
+
+<!-- Device-RequireDeviceEncryption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. |
+| 1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). |
+<!-- Device-RequireDeviceEncryption-AllowedValues-End -->
+
+<!-- Device-RequireDeviceEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable RequireDeviceEncryption:
 
 ```xml
 <SyncML>
@@ -121,1283 +1136,201 @@ If you want to disable this policy, use the following SyncML:
     </SyncBody>
 </SyncML>
 ```
+<!-- Device-RequireDeviceEncryption-Examples-End -->
+
+<!-- Device-RequireDeviceEncryption-End -->
+
+<!-- Device-RequireStorageCardEncryption-Begin -->
+## RequireStorageCardEncryption
 
 > [!NOTE]
-> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
+> This policy is deprecated and may be removed in a future release.
 
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
-<!--Description-->
-Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
-<!--/Description-->
-<!--SupportedValues-->
+<!-- Device-RequireStorageCardEncryption-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-RequireStorageCardEncryption-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedValues-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*
-- GP name: *EncryptionMethodWithXts_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
-
-If you enable this setting, you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
-
-If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
-
- Sample value for this node to enable this policy and set the encryption methods is:
-
-```xml
- <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
+<!-- Device-RequireStorageCardEncryption-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption
 ```
+<!-- Device-RequireStorageCardEncryption-OmaUri-End -->
 
-- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
-- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
-- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
-<!--SupportedValues-->
- The possible values for 'xx' are:
+<!-- Device-RequireStorageCardEncryption-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows the Admin to require storage card encryption on the device.
 
-- 3 = AES-CBC 128
-- 4 = AES-CBC 256
-- 6 = XTS-AES 128
-- 7 = XTS-AES 256
-<!--/SupportedValues-->
-> [!NOTE]
-> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
+This policy is only valid for mobile SKU.
+Sample value for this node to enable this policy:
+1
 
-  If you want to disable this policy, use the following SyncML:
+Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
 
-```xml
-<Replace>
-  <CmdID>$CmdID$</CmdID>
-    <Item>
-      <Target>
-          <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
-      </Target>
-      <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-      </Meta>
-      <Data><disabled/></Data>
-    </Item>
-</Replace>
+<!-- Device-RequireStorageCardEncryption-Description-End -->
+
+<!-- Device-RequireStorageCardEncryption-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-RequireStorageCardEncryption-Editable-End -->
+
+<!-- Device-RequireStorageCardEncryption-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-RequireStorageCardEncryption-DFProperties-End -->
+
+<!-- Device-RequireStorageCardEncryption-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Storage cards do not need to be encrypted. |
+| 1 | Require storage cards to be encrypted. |
+<!-- Device-RequireStorageCardEncryption-AllowedValues-End -->
+
+<!-- Device-RequireStorageCardEncryption-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RequireStorageCardEncryption-Examples-End -->
+
+<!-- Device-RequireStorageCardEncryption-End -->
+
+<!-- Device-RotateRecoveryPasswords-Begin -->
+## RotateRecoveryPasswords
+
+<!-- Device-RotateRecoveryPasswords-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-RotateRecoveryPasswords-Applicability-End -->
+
+<!-- Device-RotateRecoveryPasswords-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords
 ```
+<!-- Device-RotateRecoveryPasswords-OmaUri-End -->
 
-Data type is string.
+<!-- Device-RotateRecoveryPasswords-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="identificationfield"></a>**IdentificationField**
-<!--Description-->
-Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker.
-<!--/Description-->
-<!--SupportedSKUs-->
+The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
+- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
+- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes:
 
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
+- status\RotateRecoveryPasswordsStatus
+- status\RotateRecoveryPasswordsRequestID
 
-- GP Friendly name: *Provide the unique identifiers for your organization*
-- GP name: *IdentificationField_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption*
-- GP ADMX file name: *VolumeEncryption.admx*
+Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
 
-<!--/ADMXMapped-->
-
-This setting is used to establish an identifier that is applied to all encrypted drives in your organization.
-
-Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
-
-- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
-
-- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
-
->[!Note]
->When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
-
-If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="IdentificationField" value="BitLocker-ID1"/><data id="SecIdentificationField" value="Allowed-BitLocker-ID2"/>
-```
-
-Data ID:
-
-- IdentificationField: This is a BitLocker identification field.
-- SecIdentificationField: This is an allowed BitLocker identification field.
-
-If you disable or don't configure this setting, the identification field isn't required.
-
->[!Note]
->Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
-
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesenableprebootpinexceptionondecapabledevice"></a>**SystemDrivesEnablePreBootPinExceptionOnDECapableDevice**
-<!--Description-->
-Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN*
-- GP name: *EnablePreBootPinExceptionOnDECapableDevice_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
-
-If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/>
-```
-
-If this policy is disabled, the options of "Require additional authentication at startup" policy apply.
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesenhancedpin"></a>**SystemDrivesEnhancedPIN**
-<!--Description-->
-Allows users to configure whether or not enhanced startup PINs are used with BitLocker.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Allow enhanced PINs for startup*
-- GP name: *EnhancedPIN_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
-
->[!Note]
->Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
-
-If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/>
-```
-
-If you disable or don't configure this policy setting, enhanced PINs won't be used.
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesdisallowstandarduserscanchangepin"></a>**SystemDrivesDisallowStandardUsersCanChangePIN**
-<!--Description-->
-Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Disallow standard users from changing the PIN or password*
-- GP name: *DisallowStandardUsersCanChangePIN_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive.
-
->[!Note]
->To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
-
-If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords.
-
-If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
-
-Sample value for this node to disable this policy is:
-
-```xml
-<disabled/>
-```
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesenableprebootinputprotectorsonslates"></a>**SystemDrivesEnablePrebootInputProtectorsOnSlates**
-<!--Description-->
-Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Enable use of BitLocker authentication requiring preboot keyboard input on slates*
-- GP name: *EnablePrebootInputProtectorsOnSlates_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
-
-It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/>
-```
-
-If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
-
-When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
-
->[!Note]
->If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
->
->- Configure TPM startup PIN: Required and Allowed
->- Configure TPM startup key and PIN: Required and Allowed
->- Configure use of passwords for operating system drives
-
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesencryptiontype"></a>**SystemDrivesEncryptionType**
-<!--Description-->
-Allows you to configure the encryption type that is used by BitLocker.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on operating system drives*
-- GP name: *OSEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This policy setting is applied when you turn on BitLocker. Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress.
-
-Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="OSEncryptionTypeDropDown_Name" value="1"/>
-```
-
-If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
->[!Note]
->This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Require additional authentication at startup*
-- GP name: *ConfigureAdvancedStartup_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
-
-> [!NOTE]
-> Only one of the additional authentication options is required at startup, otherwise an error occurs.
-
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
-
-On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
-
-> [!NOTE]
-> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
-
-If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
-
-If you disable or don't configure this setting, users can configure only basic options on computers with a TPM.
-
-> [!NOTE]
-> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
-
-> [!NOTE]
-> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
-```
-
-Data ID:
-
-- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
-- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
-- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
-- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
-- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
-
-<!--SupportedValues-->
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Optional
-- 1 = Required
-- 0 = Disallowed
-
-<!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Configure minimum PIN length for startup*
-- GP name: *MinimumPINLength_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits.
-
-> [!NOTE]
-> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
->
->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2.
-
-If you enable this setting, you will require a minimum number of digits to set the startup PIN.
-
-If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="MinPINLength" value="xx"/>
-```
-
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-
-<!--Policy-->
-<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL"
-(PrebootRecoveryInfo_Name).
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Configure pre-boot recovery message and URL*
-- GP name: *PrebootRecoveryInfo_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.
-
-If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
-
-If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
-
-If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
-```
-<!--SupportedValues-->
-The possible values for 'xx' are:
-
--  0 = Empty
--  1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
--  2 = Custom recovery message is set.
--  3 = Custom recovery URL is set.
--  'yy' = string of max length 900.
--  'zz' = string of max length 500.
-<!--/SupportedValues-->
-> [!NOTE]
-> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
-
-Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy, use the following SyncML:
-
-```xml
-<Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-> [!NOTE]
-> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Choose how BitLocker-protected operating system drives can be recovered*
-- GP name: *OSRecoveryUsage_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
-
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
-
-In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
-Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-> [!NOTE]
-> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
-
-If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
-
-If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
-```
-<!--SupportedValues-->
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Allowed
-- 1 = Required
-- 0 = Disallowed
-
-The possible values for 'zz' are:
-
-- 2 = Store recovery passwords only.
-- 1 = Store recovery passwords and key packages.
-<!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Choose how BitLocker-protected fixed drives can be recovered*
-- GP name: *FDVRecoveryUsage_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
-
-In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-
-Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
-
-Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
-
-> [!NOTE]
-> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
-
-If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
-
-If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
-```
-<!--SupportedValues-->
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-The possible values for 'yy' are:
-
-- 2 = Allowed
-- 1 = Required
-- 0 = Disallowed
-
-The possible values for 'zz' are:
-
-- 2 = Store recovery passwords only
-- 1 = Store recovery passwords and key packages
-
-<!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Deny write access to fixed drives not protected by BitLocker*
-- GP name: *FDVDenyWriteAccess_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
-
-If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/>
-```
-
-If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="fixeddrivesencryptiontype"></a>**FixedDrivesEncryptionType**
-<!--Description-->
-Allows you to configure the encryption type on fixed data drives that is used by BitLocker.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on fixed data drives*
-- GP name: *FDVEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection is displayed to the user.
-
-Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="FDVEncryptionTypeDropDown_Name" value="1"/>
-```
-
-If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
->[!Note]
->This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
-<!--Description-->
-This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Deny write access to removable drives not protected by BitLocker*
-- GP name: *RDVDenyWriteAccess_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removeable Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-
-If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-
-If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
-
-If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
-
-> [!NOTE]
-> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
-
-Sample value for this node to enable this policy is:
-
-```xml
- <enabled/><data id="RDVCrossOrg" value="xx"/>
-```
-<!--SupportedValues-->
-The possible values for 'xx' are:
-
-- true = Explicitly allow
-- false = Policy not set
-
-<!--/SupportedValues-->
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>$CmdID$</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">chr</Format>
-     </Meta>
-     <Data><disabled/></Data>
-   </Item>
- </Replace>
-```
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="removabledrivesencryptiontype"></a>**RemovableDrivesEncryptionType**
-<!--Description-->
-Allows you to configure the encryption type that is used by BitLocker.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Enforce drive encryption type on removable data drives*
-- GP name: *RDVEncryptionType_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-
-<!--/ADMXMapped-->
-
-This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-Changing the encryption type will no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
-
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="RDVEncryptionTypeDropDown_Name" value="2"/>
-```
-
-If this policy is disabled or not configured, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="removabledrivesconfigurebde"></a>**RemovableDrivesConfigureBDE**
-<!--Description-->
-Allows you to control the use of BitLocker on removable data drives.
-<!--/Description-->
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--ADMXMapped-->
-ADMX Info:
-
-- GP Friendly name: *Control use of BitLocker on removable drives*
-- GP name: *RDVConfigureBDE_Name*
-- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives*
-- GP ADMX file name: *VolumeEncryption.admx*
-<!--/ADMXMapped-->
-
-This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker.
-
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment) .
-
-The options for choosing property settings that control how users can configure BitLocker are:
-
-- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on removable data drives.
-- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
-
-If you enable this policy setting, you can select property settings that control how users can configure BitLocker.
-
-Sample value for this node to enable this policy is:
-
-```xml
-<enabled/><data id="RDVAllowBDE_Name" value="true"/><data id="RDVDisableBDE_Name" value="true"/>
-```
-Data ID:
-
-- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
-- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
-
-If this policy is disabled, users can't use BitLocker on removable disk drives.
-
-If you don't configure this policy setting, users can use BitLocker on removable disk drives.
-
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
-<!--Description-->
-Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1.
-<!--/Description-->
-> [!IMPORTANT]
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview).
-
-> [!Warning]
-> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices.  Windows will attempt to silently enable BitLocker for value 0.
--   1 (default) – Warning prompt allowed.
-<!--/SupportedValues-->
-```xml
-<Replace>
-    <CmdID>110</CmdID>
-    <Item>
-        <Target>
-            <LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
-        </Target>
-        <Meta>
-            <Format xmlns="syncml:metinf">int</Format>
-        <Data>0</Data>
-    </Item>
-</Replace>
-```
-
-> [!NOTE]
->When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
->
->The endpoint for a fixed data drive's backup is chosen in the following order:
->
-  >1. The user's Windows Server Active Directory Domain Services account.
-  >2. The user's Azure Active Directory account.
-  >3. The user's personal OneDrive (MDM/MAM only).
->
->Encryption will wait until one of these three locations backs up successfully.
-<!--/Policy-->
-<!--Policy-->
-<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
-<!--Description-->
-Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user of Azure AD account.
-<!--/Description-->
-
-> [!NOTE]
-> This policy is only supported in Azure AD accounts.
-
-"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.
-
-If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<!--SupportedValues-->
-The expected values for this policy are:
-
-- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
-- 0 = This value is the default value, when the policy isn't set. If the current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
-<!--/SupportedValues-->
-If you want to disable this policy, use the following SyncML:
-
-```xml
- <Replace>
- <CmdID>111</CmdID>
-   <Item>
-     <Target>
-         <LocURI>./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption</LocURI>
-     </Target>
-     <Meta>
-         <Format xmlns="syncml:metinf">int</Format>
-     </Meta>
-     <Data>0</Data>
-   </Item>
- </Replace>
-```
-<!--/Policy-->
-
-<!--Policy-->
-
-<a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**
-
-<!--Description-->
-This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
-
-<!--/Description-->
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-
-Value type is int.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-<!--SupportedValues-->
-
-Supported values are:
-
-- 0 – Refresh off (default).
-- 1 – Refresh on for Azure AD-joined devices.
-- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<!--Policy-->
-
-<a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**
-
-<!--Description-->
-
-This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate.
-<!--/Description-->
-
-The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
-
-Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request.
-
-Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
-
-Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
-
-Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
-- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
-- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-
-Value type is string.
-
-Supported operation is Execute. Request ID is expected as a parameter.
+<!-- Device-RotateRecoveryPasswords-Description-End -->
 
+<!-- Device-RotateRecoveryPasswords-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype).
->   - windowsAzureADJoin.
->   - windowsBulkAzureDomainJoin.
->   - windowsAzureADJoinUsingDeviceAuth.
->   - windowsCoManagement.
+>
+> - windowsAzureADJoin.
+> - windowsBulkAzureDomainJoin.
+> - windowsAzureADJoinUsingDeviceAuth.
+> - windowsCoManagement.
 
 > [!TIP]
 > Key rotation feature will only work when:
 >
 > - For Operating system drives:
->    - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required").
->    - OSActiveDirectoryBackup_Name is set to true.
+>   - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required").
+>   - OSActiveDirectoryBackup_Name is set to true.
+>
 > - For Fixed data drives:
->    - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required").
->    - FDVActiveDirectoryBackup_Name is set to true.
+>   - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required").
+>   - FDVActiveDirectoryBackup_Name is set to true.
+<!-- Device-RotateRecoveryPasswords-Editable-End -->
 
-<a href="" id="status"></a>**Status**
-Interior node.
+<!-- Device-RotateRecoveryPasswords-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec |
+<!-- Device-RotateRecoveryPasswords-DFProperties-End -->
 
-<!--/Policy-->
+<!-- Device-RotateRecoveryPasswords-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RotateRecoveryPasswords-Examples-End -->
 
-<!--Policy-->
-<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
-<!--Description-->
+<!-- Device-RotateRecoveryPasswords-End -->
+
+<!-- Device-Status-Begin -->
+## Status
+
+<!-- Device-Status-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Status-Applicability-End -->
+
+<!-- Device-Status-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/Status
+```
+<!-- Device-Status-OmaUri-End -->
+
+<!-- Device-Status-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-Status-Description-End -->
+
+<!-- Device-Status-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-Editable-End -->
+
+<!-- Device-Status-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Status-DFProperties-End -->
+
+<!-- Device-Status-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-Examples-End -->
+
+<!-- Device-Status-End -->
+
+<!-- Device-Status-DeviceEncryptionStatus-Begin -->
+### Status/DeviceEncryptionStatus
+
+<!-- Device-Status-DeviceEncryptionStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Status-DeviceEncryptionStatus-Applicability-End -->
+
+<!-- Device-Status-DeviceEncryptionStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/DeviceEncryptionStatus
+```
+<!-- Device-Status-DeviceEncryptionStatus-OmaUri-End -->
+
+<!-- Device-Status-DeviceEncryptionStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
 This node reports compliance state of device encryption on the system.
-<!--/Description-->
-<!--SupportedSKUs-->
+Value '0' means the device is compliant. Any other value represents a non-compliant device.
+<!-- Device-Status-DeviceEncryptionStatus-Description-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-
-<!--SupportedValues-->
-Value type is int.
-
-Supported operation is Get.
-
-Supported values:
-
-- 0 - Indicates that the device is compliant.
-- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
+<!-- Device-Status-DeviceEncryptionStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+This value represents a bitmask with each bit and the corresponding error code described in the following table:
 
 | Bit | Error Code |
 |-----|------------|
@@ -1418,70 +1351,930 @@ Supported values:
 | 14 |The TPM isn't ready for BitLocker.|
 | 15 |The network isn't available, which is required for recovery key backup. |
 | 16-31 |For future use.|
+<!-- Device-Status-DeviceEncryptionStatus-Editable-End -->
 
-<!--/SupportedValues-->
+<!-- Device-Status-DeviceEncryptionStatus-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/Policy-->
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Status-DeviceEncryptionStatus-DFProperties-End -->
 
-<!--Policy-->
+<!-- Device-Status-DeviceEncryptionStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-DeviceEncryptionStatus-Examples-End -->
 
-<a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**
-<!--Description-->
+<!-- Device-Status-DeviceEncryptionStatus-End -->
 
-This node reports the status of RotateRecoveryPasswords request.
-<!--/Description-->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Begin -->
+### Status/RemovableDrivesEncryptionStatus
 
-Status code can be one of the following values:
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Applicability-End -->
 
-- 2 – Not started
-- 1 - Pending
-- 0 - Pass
-- Any other code - Failure HRESULT
-<!--SupportedSKUs-->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RemovableDrivesEncryptionStatus
+```
+<!-- Device-Status-RemovableDrivesEncryptionStatus-OmaUri-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings.
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Description-End -->
 
-<!--/SupportedSKUs-->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Editable-End -->
 
-Value type is int.
+<!-- Device-Status-RemovableDrivesEncryptionStatus-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Status-RemovableDrivesEncryptionStatus-DFProperties-End -->
 
-<!--/Policy-->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-Examples-End -->
 
-<!--Policy-->
+<!-- Device-Status-RemovableDrivesEncryptionStatus-End -->
 
-<a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Begin -->
+### Status/RotateRecoveryPasswordsRequestID
 
-<!--Description-->
-This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
-This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
-<!--/Description-->
-<!--SupportedSKUs-->
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsRequestID
+```
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-OmaUri-End -->
 
-<!--/SupportedSKUs-->
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Description-Begin -->
+<!-- Description-Source-DDF -->
+This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
+This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
+To ensure the status is correctly matched to the request ID.
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Description-End -->
 
-Value type is string.
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-DFProperties-Begin -->
+**Description framework properties**:
 
-### SyncML example
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-DFProperties-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-Examples-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsRequestID-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Begin -->
+### Status/RotateRecoveryPasswordsStatus
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Applicability-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsStatus
+```
+<!-- Device-Status-RotateRecoveryPasswordsStatus-OmaUri-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
+This Node reports the status of RotateRecoveryPasswords request.
+Status code can be one of the following:
+NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Description-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Editable-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Status-RotateRecoveryPasswordsStatus-DFProperties-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Status-RotateRecoveryPasswordsStatus-Examples-End -->
+
+<!-- Device-Status-RotateRecoveryPasswordsStatus-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Begin -->
+## SystemDrivesDisallowStandardUsersCanChangePIN
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Applicability-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesDisallowStandardUsersCanChangePIN
+```
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-OmaUri-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
+
+This policy setting is applied when you turn on BitLocker.
+
+- If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+
+- If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Description-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> To change the PIN or password, the user must be able to provide the current PIN or password.
+
+Sample value for this node to disable this policy is: `<disabled/>`
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Editable-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-DFProperties-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisallowStandardUsersCanChangePIN_Name |
+| Friendly Name | Disallow standard users from changing the PIN or password |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | DisallowStandardUserPINReset |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-Examples-End -->
+
+<!-- Device-SystemDrivesDisallowStandardUsersCanChangePIN-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Begin -->
+## SystemDrivesEnablePrebootInputProtectorsOnSlates
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Applicability-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePrebootInputProtectorsOnSlates
+```
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-OmaUri-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability.
+
+The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.
+
+- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
+
+- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include
+- Configure TPM startup PIN Required/Allowed
+- Configure TPM startup key and PIN Required/Allowed
+- Configure use of passwords for operating system drives.
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Description-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is: `<enabled/>`
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Editable-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-DFProperties-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePrebootInputProtectorsOnSlates_Name |
+| Friendly Name | Enable use of BitLocker authentication requiring preboot keyboard input on slates |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | OSEnablePrebootInputProtectorsOnSlates |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Examples-End -->
+
+<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Begin -->
+## SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Applicability-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+```
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-OmaUri-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware.
+
+- If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
+
+- If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Description-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is: `<enabled/>`
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Editable-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-DFProperties-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePreBootPinExceptionOnDECapableDevice_Name |
+| Friendly Name | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | OSEnablePreBootPinExceptionOnDECapableDevice |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-Examples-End -->
+
+<!-- Device-SystemDrivesEnablePreBootPinExceptionOnDECapableDevice-End -->
+
+<!-- Device-SystemDrivesEncryptionType-Begin -->
+## SystemDrivesEncryptionType
+
+<!-- Device-SystemDrivesEncryptionType-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-SystemDrivesEncryptionType-Applicability-End -->
+
+<!-- Device-SystemDrivesEncryptionType-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEncryptionType
+```
+<!-- Device-SystemDrivesEncryptionType-OmaUri-End -->
+
+<!-- Device-SystemDrivesEncryptionType-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+<!-- Device-SystemDrivesEncryptionType-Description-End -->
+
+<!-- Device-SystemDrivesEncryptionType-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/><data id="OSEncryptionTypeDropDown_Name" value="1"/>
+```
+
+Possible values:
+
+- 0: Allow user to choose.
+- 1: Full encryption.
+- 2: Used space only encryption.
+
+>[!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
+> For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>
+> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde).
+<!-- Device-SystemDrivesEncryptionType-Editable-End -->
+
+<!-- Device-SystemDrivesEncryptionType-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesEncryptionType-DFProperties-End -->
+
+<!-- Device-SystemDrivesEncryptionType-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | OSEncryptionType_Name |
+| Friendly Name | Enforce drive encryption type on operating system drives |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | OSEncryptionType |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesEncryptionType-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesEncryptionType-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SystemDrivesEncryptionType-Examples-End -->
+
+<!-- Device-SystemDrivesEncryptionType-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-Begin -->
+## SystemDrivesEnhancedPIN
+
+<!-- Device-SystemDrivesEnhancedPIN-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Device-SystemDrivesEnhancedPIN-Applicability-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesEnhancedPIN
+```
+<!-- Device-SystemDrivesEnhancedPIN-OmaUri-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.
+
+Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
+
+- If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
+
+> [!NOTE]
+> Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
+
+- If you disable or do not configure this policy setting, enhanced PINs will not be used.
+<!-- Device-SystemDrivesEnhancedPIN-Description-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Sample value for this node to enable this policy is: `<enabled/>`
+<!-- Device-SystemDrivesEnhancedPIN-Editable-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesEnhancedPIN-DFProperties-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnhancedPIN_Name |
+| Friendly Name | Allow enhanced PINs for startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| Registry Value Name | UseEnhancedPin |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesEnhancedPIN-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SystemDrivesEnhancedPIN-Examples-End -->
+
+<!-- Device-SystemDrivesEnhancedPIN-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-Begin -->
+## SystemDrivesMinimumPINLength
+
+<!-- Device-SystemDrivesMinimumPINLength-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-SystemDrivesMinimumPINLength-Applicability-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength
+```
+<!-- Device-SystemDrivesMinimumPINLength-OmaUri-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+- If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
+
+- If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
+
+NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
+<!-- Device-SystemDrivesMinimumPINLength-Description-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/><data id="MinPINLength" value="xx"/>
+```
+<!-- Device-SystemDrivesMinimumPINLength-Editable-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesMinimumPINLength-DFProperties-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MinimumPINLength_Name |
+| Friendly Name | Configure minimum PIN length for startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesMinimumPINLength-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+ <Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-SystemDrivesMinimumPINLength-Examples-End -->
+
+<!-- Device-SystemDrivesMinimumPINLength-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-Begin -->
+## SystemDrivesRecoveryMessage
+
+<!-- Device-SystemDrivesRecoveryMessage-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-SystemDrivesRecoveryMessage-Applicability-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage
+```
+<!-- Device-SystemDrivesRecoveryMessage-OmaUri-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
+
+If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the "Use default recovery message and URL" option.
+
+If you select the "Use custom recovery message" option, the message you type in the "Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
+
+If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
+
+> [!NOTE]
+> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+<!-- Device-SystemDrivesRecoveryMessage-Description-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- PrebootRecoveryInfoDropDown_Name: Select an option for the pre-boot recovery message.
+- RecoveryMessage_Input: Custom recovery message
+- RecoveryUrl_Input: Custom recovery URL
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="PrebootRecoveryInfoDropDown_Name" value="xx"/>
+<data id="RecoveryMessage_Input" value="yy"/>
+<data id="RecoveryUrl_Input" value="zz"/>
+```
+
+The possible values for 'xx' are:
+
+- 0 = Empty
+- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
+- 2 = Custom recovery message is set.
+- 3 = Custom recovery URL is set.
+
+The possible value for 'yy' and 'zz' is a string of max length 900 and 500 respectively.
+
+> [!NOTE]
+>
+> - When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
+> - Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+<!-- Device-SystemDrivesRecoveryMessage-Editable-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesRecoveryMessage-DFProperties-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PrebootRecoveryInfo_Name |
+| Friendly Name | Configure pre-boot recovery message and URL |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | Software\Policies\Microsoft\FVE |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesRecoveryMessage-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+<Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-SystemDrivesRecoveryMessage-Examples-End -->
+
+<!-- Device-SystemDrivesRecoveryMessage-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-Begin -->
+## SystemDrivesRecoveryOptions
+
+<!-- Device-SystemDrivesRecoveryOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-SystemDrivesRecoveryOptions-Applicability-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions
+```
+<!-- Device-SystemDrivesRecoveryOptions-OmaUri-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
+
+The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+
+In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+
+In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
+
+Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+> [!NOTE]
+> If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.
+
+- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
+
+- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+<!-- Device-SystemDrivesRecoveryOptions-Description-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Data ID elements:
+
+- OSAllowDRA_Name: Allow certificate-based data recovery agent
+- OSRecoveryPasswordUsageDropDown_Name and OSRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information
+- OSHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard
+- OSActiveDirectoryBackup_Name and OSActiveDirectoryBackupDropDown_Name: Save BitLocker recovery information to Active Directory Domain Services
+- OSRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="OSAllowDRA_Name" value="xx"/>
+<data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/>
+<data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/>
+<data id="OSHideRecoveryPage_Name" value="xx"/>
+<data id="OSActiveDirectoryBackup_Name" value="xx"/>
+<data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/>
+<data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 0 = Disallowed
+- 1 = Required
+- 2 = Allowed
+
+The possible values for 'zz' are:
+
+- 1 = Store recovery passwords and key packages.
+- 2 = Store recovery passwords only.
+<!-- Device-SystemDrivesRecoveryOptions-Editable-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesRecoveryOptions-DFProperties-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | OSRecoveryUsage_Name |
+| Friendly Name | Choose how BitLocker-protected operating system drives can be recovered |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | OSRecovery |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesRecoveryOptions-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+ <Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-SystemDrivesRecoveryOptions-Examples-End -->
+
+<!-- Device-SystemDrivesRecoveryOptions-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-Begin -->
+## SystemDrivesRequireStartupAuthentication
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- Device-SystemDrivesRequireStartupAuthentication-Applicability-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication
+```
+<!-- Device-SystemDrivesRequireStartupAuthentication-OmaUri-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
+
+> [!NOTE]
+> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
+
+If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+
+On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
+
+- If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
+
+- If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
+
+> [!NOTE]
+> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
+<!-- Device-SystemDrivesRequireStartupAuthentication-Description-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+>
+> - In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
+> - Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
+Data ID elements:
+
+- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
+- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
+- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
+- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
+- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
+
+Sample value for this node to enable this policy is:
+
+```xml
+<enabled/>
+<data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/>
+<data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/>
+<data id="ConfigurePINUsageDropDown_Name" value="yy"/>
+<data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/>
+<data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
+```
+
+The possible values for 'xx' are:
+
+- true = Explicitly allow
+- false = Policy not set
+
+The possible values for 'yy' are:
+
+- 2 = Optional
+- 1 = Required
+- 0 = Disallowed
+<!-- Device-SystemDrivesRequireStartupAuthentication-Editable-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-SystemDrivesRequireStartupAuthentication-DFProperties-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfigureAdvancedStartup_Name |
+| Friendly Name | Require additional authentication at startup |
+| Location | Computer Configuration |
+| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
+| Registry Value Name | UseAdvancedStartup |
+| ADMX File Name | VolumeEncryption.admx |
+<!-- Device-SystemDrivesRequireStartupAuthentication-AdmxBacked-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
+
+To disable this policy, use the following SyncML:
+
+```xml
+ <Replace>
+ <CmdID>$CmdID$</CmdID>
+   <Item>
+     <Target>
+         <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
+     </Target>
+     <Meta>
+         <Format xmlns="syncml:metinf">chr</Format>
+     </Meta>
+     <Data><disabled/></Data>
+   </Item>
+ </Replace>
+```
+<!-- Device-SystemDrivesRequireStartupAuthentication-Examples-End -->
+
+<!-- Device-SystemDrivesRequireStartupAuthentication-End -->
+
+<!-- BitLocker-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+## SyncML example
 
 The following example is provided to show proper format and shouldn't be taken as a recommendation.
 
@@ -1644,9 +2437,10 @@ The following example is provided to show proper format and shouldn't be taken a
     </SyncBody>
 </SyncML>
 ```
+<!-- BitLocker-CspMoreInfo-End -->
 
-<!--/Policy-->
+<!-- BitLocker-End -->
 
-## Related topics
+## Related articles
 
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 5c397b3bce..081ef8b6f2 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,63 +1,65 @@
 ---
 title: BitLocker DDF file
-description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 02/22/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/30/2019
-ms.reviewer: 
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
 # BitLocker DDF file
 
-This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the BitLocker configuration service provider.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
   <VerDTD>1.2</VerDTD>
-      <Node>
-        <NodeName>BitLocker</NodeName>
-        <Path>./Device/Vendor/MSFT</Path>
-        <DFProperties>
-          <AccessType>
-            <Get />
-          </AccessType>
-          <DFFormat>
-            <node />
-          </DFFormat>
-          <Occurrence>
-            <One />
-          </Occurrence>
-          <Scope>
-            <Permanent />
-          </Scope>
-          <DFType>
-            <MIME>com.microsoft/5.0/MDM/BitLocker</MIME>
-            <DDFName></DDFName>
-          </DFType>
-        </DFProperties>
-        <Node>
-          <NodeName>RequireStorageCardEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Allows the Admin to require storage card encryption on the device.
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>BitLocker</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>RequireStorageCardEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>0</DefaultValue>
+        <Description>Allows the Admin to require storage card encryption on the device.
                          The format is integer.
                          This policy is only valid for mobile SKU.
                          Sample value for this node to enable this policy:
@@ -65,99 +67,89 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>100</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">int</Format>
-                             </Meta>
-                             <Data>0</Data>
-                           </Item>
-                         </Replace>
-            </Description>
-            <DFFormat>
-              <int />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues low="0" high="1">
-              <MSFT:SupportedValue value="0" description="Default when policy is not set."/>
-              <MSFT:SupportedValue value="1" description="Allows the admin to require storage card encryption."/>
-            </MSFT:SupportedValues>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RequireDeviceEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
+                         100./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryptionint0</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Storage cards do not need to be encrypted.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>Require storage cards to be encrypted.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+        <MSFT:Deprecated />
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RequireDeviceEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>0</DefaultValue>
+        <Description>Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
                          The format is integer.
                          Sample value for this node to enable this policy:
                          1
 
                          Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>101</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">int</Format>
-                             </Meta>
-                             <Data>0</Data>
-                           </Item>
-                         </Replace>
-            </Description>
-            <DFFormat>
-              <int />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues low="0" high="1">
-              <MSFT:SupportedValue value="0" description="Default when policy is not set."/>
-              <MSFT:SupportedValue value="1" description="Allows the admin to require encryption."/>
-            </MSFT:SupportedValues>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>EncryptionMethodByDriveType</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
+                         101./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryptionint0</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy).</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>EncryptionMethodByDriveType</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
                          If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
                          If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
                          The format is string.
                          Sample value for this node to enable this policy and set the encryption methods is:
-                         &lt;enabled/&gt;&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;
+
 
                          EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
                          EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
@@ -170,48 +162,37 @@ The XML below is the current version for this CSP.
                          7 = XTS-AES 256
 
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>102</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         102./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveTypechr
 
                          Note: Maps to GP EncryptionMethodWithXts_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>EncryptionMethodWithXts_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>SystemDrivesRequireStartupAuthentication</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="EncryptionMethodWithXts_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesRequireStartupAuthentication</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
                          Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
                          If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
                          On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.
@@ -220,7 +201,7 @@ The XML below is the current version for this CSP.
                          Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;
+
 
                          ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
                          All of the below settings are for computers with a TPM.
@@ -240,106 +221,84 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>103</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         103./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthenticationchr
 
                          Note: Maps to GP ConfigureAdvancedStartup_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>ConfigureAdvancedStartup_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>SystemDrivesMinimumPINLength</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="ConfigureAdvancedStartup_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesMinimumPINLength</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
                          If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
                          If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
                          NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;MinPINLength&quot; value=&quot;xx&quot;/&gt;
+
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>104</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         104./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLengthchr
 
                          Note: Maps to GP MinimumPINLength_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>MinimumPINLength_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>SystemDrivesRecoveryMessage</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="MinimumPINLength_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesRecoveryMessage</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
                          If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
                          If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
                          If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
                          Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;zz&quot;/&gt;
+
 
                          The possible values for 'xx' are:
                          0 = Empty
@@ -351,48 +310,37 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>105</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         105./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessagechr
 
                          Note: Maps to GP PrebootRecoveryInfo_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>PrebootRecoveryInfo_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>SystemDrivesRecoveryOptions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="PrebootRecoveryInfo_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesRecoveryOptions</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
                          The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
                          In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
                          Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
@@ -403,7 +351,7 @@ The XML below is the current version for this CSP.
                          If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
+
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -420,48 +368,37 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>106</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         106./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptionschr
 
                          Note: Maps to GP OSRecoveryUsage_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>OSRecoveryUsage_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>FixedDrivesRecoveryOptions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="OSRecoveryUsage_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>FixedDrivesRecoveryOptions</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
                          The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
                          In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
                          Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
@@ -472,7 +409,7 @@ The XML below is the current version for this CSP.
                          If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
+
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -489,105 +426,83 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>107</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         107./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptionschr
 
                          Note: Maps to GP FDVRecoveryUsage_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>FDVRecoveryUsage_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>FixedDrivesRequireEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory" Name="FDVRecoveryUsage_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>FixedDrivesRequireEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
                          If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
                          If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;
+
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>108</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         108./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryptionchr
 
                          Note: Maps to GP FDVDenyWriteAccess_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>FDVDenyWriteAccess_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>RemovableDrivesRequireEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory" Name="FDVDenyWriteAccess_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RemovableDrivesRequireEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
                          If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
                          If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
                          If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
                          Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                         &lt;enabled/&gt;&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;xx&quot;/&gt;
+
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -595,48 +510,73 @@ The XML below is the current version for this CSP.
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>109</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;disabled/&gt;</Data>
-                           </Item>
-                         </Replace>
+                         109./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryptionchr
 
                          Note: Maps to GP RDVDenyWriteAccess_Name policy.
             </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:ADMXBacked>VolumeEncryption.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>RDVDenyWriteAccess_Name</MSFT:ADMXPolicyName>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>AllowWarningForOtherDiskEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVDenyWriteAccess_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RemovableDrivesExcludedFromEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>When enabled, allows you to exclude removable drives and devices connected over USB interface from BitLocker Device Encryption. Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <CaseSense>
+          <CIS />
+        </CaseSense>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="None">
+          <MSFT:List Delimiter="," />
+        </MSFT:AllowedValues>
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>AllowWarningForOtherDiskEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>1</DefaultValue>
+        <Description>Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption)
                          and turn on encryption on the user machines silently.
                          Warning: When you enable BitLocker on a device with third party encryption, it may render the device unusable and will
                          require reinstallation of Windows.
@@ -646,51 +586,46 @@ The XML below is the current version for this CSP.
 
                          1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
                          0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
-                             the value 0 only takes affect on Azure Active Directory-joined devices.
+                             the value 0 only takes affect on Azure Active Directory joined devices.
                              Windows will attempt to silently enable BitLocker for value 0.
 
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>110</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">int</Format>
-                             </Meta>
-                             <Data>0</Data>
-                           </Item>
-                         </Replace>
-            </Description>
-            <DFFormat>
-              <int />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues AllowedValues="0,1">
-              <MSFT:SupportedValue value="0" description="Disables the warning prompt. Starting in Windows 10, next major update, the value 0 only takes affect on Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0."/>
-              <MSFT:SupportedValue value="1" description="Default when policy is not set."/>
-            </MSFT:SupportedValues>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>AllowStandardUserEncryption</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
+                         110./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryptionint0</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>Warning prompt allowed.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>AllowStandardUserEncryption</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>0</DefaultValue>
+        <Description>Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
                          "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, Silent encryption is enforced.
                          If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
                          is the current logged on user in the system.
@@ -702,100 +637,107 @@ The XML below is the current version for this CSP.
                              will not try to enable encryption on any drive.
 
                          If you want to disable this policy use the following SyncML:
-                         <Replace>
-                         <CmdID>111</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">int</Format>
-                             </Meta>
-                             <Data>0</Data>
-                           </Item>
-                         </Replace>
-            </Description>
-            <DFFormat>
-              <int />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues AllowedValues="0,1">
-              <MSFT:SupportedValue value="0" description="This is the default when the policy is not set. If current logged on user is a standard user, RequireDeviceEncryption policy
-                             will not try to enable encryption on any drive."/>
-              <MSFT:SupportedValue value="1" description="RequireDeviceEncryption policy will try to enable encryption on all fixed drives even if a current logged in user is standard user."/>
-            </MSFT:SupportedValues>
-          </DFProperties>
-        </Node>
-
-        <Node>
-          <NodeName>ConfigureRecoveryPasswordRotation</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Azure Active Directory and Hybrid domain joined devices.
-                          When not configured, Rotation is turned on by default for Azure AD only and off on Hybrid. The Policy will be effective only when
+                         111./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryptionint0</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>3.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>"RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+        <MSFT:DependencyBehavior>
+          <MSFT:DependencyGroup FriendlyId="AllowWarningForOtherDiskEncryptionDependency">
+            <MSFT:Dependency Type="DependsOn">
+              <MSFT:DependencyUri>Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption</MSFT:DependencyUri>
+              <MSFT:DependencyAllowedValue ValueType="Range">
+                <MSFT:Value>[0]</MSFT:Value>
+              </MSFT:DependencyAllowedValue>
+            </MSFT:Dependency>
+          </MSFT:DependencyGroup>
+        </MSFT:DependencyBehavior>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>ConfigureRecoveryPasswordRotation</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>0</DefaultValue>
+        <Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+                          When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
                           Active Directory back up for recovery password is configured to required.
                           For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
                           For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
 
                           Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
-                                            1 - Numeric Recovery Passwords Rotation upon use ON for Azure Active Directory-joined devices. Default value
-                                            2 - Numeric Recovery Passwords Rotation upon use ON for both Azure AD and Hybrid devices
+                                            1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
+                                            2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
 
                          If you want to disable this policy use the following SyncML:
 
-                         <Replace>
-                         <CmdID>112</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">int</Format>
-                             </Meta>
-                             <Data>0</Data>
-                           </Item>
-                         </Replace>
-            </Description>
-            <DFFormat>
-              <int />
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues low="0" high="2">
-              <MSFT:SupportedValue value="0" description="Numeric Recovery Passwords Key rotation OFF"/>
-              <MSFT:SupportedValue value="1" description="Default Value. Numeric Recovery Passwords Key Rotation ON for AAD-joined devices."/>
-              <MSFT:SupportedValue value="2" description="Numeric Recovery Passwords Key Rotation ON for both AAD and Hybrid devices"/>
-            </MSFT:SupportedValues>
-          </DFProperties>
-        </Node>
-
-        <Node>
-          <NodeName>RotateRecoveryPasswords</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Exec />
-            </AccessType>
-            <Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+                         112./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotationint0</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.18363</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Refresh off (default)</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>Refresh on for Azure AD-joined devices</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>2</MSFT:Value>
+            <MSFT:ValueDescription>Refresh on for both Azure AD-joined and hybrid-joined devices</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RotateRecoveryPasswords</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+        </AccessType>
+        <Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
                           This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 
 The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
@@ -811,133 +753,522 @@ The policy only comes into effect when Active Directory backup for a recovery pa
 
 Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
 
-                         <Exec>
-                         <CmdID>113</CmdID>
-                           <Item>
-                             <Target>
-                                 <LocURI>./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords</LocURI>
-                             </Target>
-                             <Meta>
-                                 <Format xmlns="syncml:metinf">chr</Format>
-                             </Meta>
-                             <Data>&lt;RequestID/&gt;</Data>
-                           </Item>
-                         </Exec>
-            </Description>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
+                         113./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswordschr</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.18363</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>Status</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>4.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+      </DFProperties>
+      <Node>
+        <NodeName>DeviceEncryptionStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>This node reports compliance state of device encryption on the system.
+                            Value '0' means the device is compliant. Any other value represents a non-compliant device.
+                </Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
         </DFProperties>
-        </Node>
-
-        <Node>
-          <NodeName>Status</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>DeviceEncryptionStatus</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <Description>This node reports compliance state of device encryption on the system.
-                           Value '0' means the device is compliant. Any other value represents a non-compliant device.
-              </Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-
-          <Node>
-            <NodeName>RotateRecoveryPasswordsStatus</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <Description> This Node reports the status of RotateRecoveryPasswords request.
-                              Status code can be one of the following:
-                              NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
-
-                </Description>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Permanent />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-
-          <Node>
-            <NodeName>RotateRecoveryPasswordsRequestID</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <Description> This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
-                              This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
-                              To ensure the status is correctly matched to the request ID.
-
-                </Description>
-                <DFFormat>
-                  <chr />
-                </DFFormat>
-                  <Occurrence>
-                    <One />
-                  </Occurrence>
-                  <Scope>
-                    <Permanent />
-                  </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-             </DFProperties>
-          </Node>
-        </Node>
       </Node>
+      <Node>
+        <NodeName>RotateRecoveryPasswordsStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description> This Node reports the status of RotateRecoveryPasswords request.
+                                Status code can be one of the following:
+                                NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
+
+                  </Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.18363</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>5.0</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>RotateRecoveryPasswordsRequestID</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description> This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
+                                This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
+                                To ensure the status is correctly matched to the request ID.
+
+                  </Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.18363</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>5.0</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>RemovableDrivesEncryptionStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>5.0</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>IdentificationField</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
+          The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
+          You can configure the identification fields on existing drives by using manage-bde.exe.
+          If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.
+          When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.
+          If you disable or do not configure this policy setting, the identification field is not required.
+
+          Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
+
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>IdentificationField</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory" Name="IdentificationField_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Provide the unique identifiers for your organization" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory" GpElement="IdentificationField" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>FixedDrivesEncryptionType</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+          If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+          If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>FixedDrivesEncryptionType</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory" Name="FDVEncryptionType_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Enforce drive encryption type on fixed data drives" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory" GpElement="FDVEncryptionType" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesEnhancedPIN</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.
+          Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
+          If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
+          Note:   Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
+          If you disable or do not configure this policy setting, enhanced PINs will not be used.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>SystemDrivesEnhancedPIN</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="EnhancedPIN_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Allow enhanced PINs for startup" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" GpElement="UseEnhancedPin" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesDisallowStandardUsersCanChangePIN</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
+          This policy setting is applied when you turn on BitLocker.
+          If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+          If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>SystemDrivesDisallowStandardUsersCanChangePIN</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="DisallowStandardUsersCanChangePIN_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Disallow standard users from changing the PIN or password" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" GpElement="DisallowStandardUserPINReset" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesEnablePrebootInputProtectorsOnSlates</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability.
+
+          The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.
+          If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
+          If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+          Note that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
+          - Configure TPM startup PIN: Required/Allowed
+          - Configure TPM startup key and PIN: Required/Allowed
+          - Configure use of passwords for operating system drives.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>SystemDrivesEnablePrebootInputProtectorsOnSlates</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="EnablePrebootInputProtectorsOnSlates_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Enable use of Bitlocker authentication requiring preboot keyboard input on slates" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" GpElement="OSEnablePrebootInputProtectorsOnSlates" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesEncryptionType</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
+          If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+          If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>SystemDrivesEncryptionType</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="OSEncryptionType_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Enforce drive encryption type on operating system drives" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" GpElement="OSEncryptionType" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>SystemDrivesEnablePreBootPinExceptionOnDECapableDevice</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>
+          This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware.
+          If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
+          If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
+        </Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>SystemDrivesEnablePreBootPinExceptionOnDECapableDevice</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" Name="EnablePreBootPinExceptionOnDECapableDevice_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory" GpElement="OSEnablePreBootPinExceptionOnDECapableDevice" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RemovableDrivesConfigureBDE</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>RemovableDrivesConfigureBDE</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVConfigureBDE" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Control use of BitLocker on removable drives" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" GpElement="RDVConfigureBDE" />
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RemovableDrivesEncryptionType</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <ZeroOrOne />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>RemovableDrivesEncryptionType</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>5.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ADMX">
+          <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVEncryptionType_Name" File="VolumeEncryption.admx" />
+        </MSFT:AllowedValues>
+        <MSFT:GpMapping GpEnglishName="Enforce drive encryption type on removal data drives" GpAreaPath="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" GpElement="RDVEncryptionType" />
+        <MSFT:DependencyBehavior>
+          <MSFT:DependencyGroup FriendlyId="BDEAllowed">
+            <MSFT:DependencyChangedAllowedValues ValueType="ADMX">
+              <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVConfigureBDE" File="VolumeEncryption.admx" />
+            </MSFT:DependencyChangedAllowedValues>
+            <MSFT:Dependency Type="DependsOn">
+              <MSFT:DependencyUri>Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE</MSFT:DependencyUri>
+              <MSFT:DependencyAllowedValue ValueType="ADMX">
+                <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVConfigureBDE" File="VolumeEncryption.admx" />
+              </MSFT:DependencyAllowedValue>
+            </MSFT:Dependency>
+          </MSFT:DependencyGroup>
+        </MSFT:DependencyBehavior>
+        <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+      </DFProperties>
+    </Node>
+  </Node>
 </MgmtTree>
 ```
 
-## Related topics
+## Related articles
 
-[BitLocker configuration service provider](bitlocker-csp.md)
+[BitLocker configuration service provider reference](bitlocker-csp.md)
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 2636c0f68e..46796cc58d 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -2774,7 +2774,7 @@ This policy setting allows you to audit events generated by attempts to access t
 - If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
 
 > [!NOTE]
-> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
+> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about SACL, see [Access control lists](/windows/win32/secauthz/access-control-lists).
 <!-- ObjectAccess_AuditSAM-Description-End -->
 
 <!-- ObjectAccess_AuditSAM-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d4bee876d5..e46c94e961 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1767,7 +1767,7 @@ _**Turn syncing off by default but don’t disable**_
 
 <!-- EnableOrganizationalMessages-Description-Begin -->
 <!-- Description-Source-DDF -->
-Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled.
+Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Intune. By default, this policy is disabled.
 - If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences.
 <!-- EnableOrganizationalMessages-Description-End -->
 
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index adb471edb7..8dab751eb2 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -122,13 +122,13 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com
 
 Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
 1. Select **Manage** / **Settings** and turn on **Show offline apps**.
 1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
 1. Search for **Quick Assist** and select it from the Search results.
 1. Choose the **Offline** license and select **Get the app**
-1. In the Endpoint Manager admin center, choose **Sync**.
+1. In the Intune admin center, choose **Sync**.
 1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
 1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
 1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 0fa0a01630..7ef410564c 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -132,7 +132,7 @@ This section shows you how to create a pinned list policy in Intune. There isn't
 
 To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
 
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index dfcaee8191..4407034b34 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -170,7 +170,7 @@ MDM providers can deploy policies to devices managed by the organization, includ
 
 Use the following steps to create an Intune policy that deploys your taskbar XML file:
 
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index ff5c66875f..ebd6bb9d28 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -55,7 +55,7 @@ Two features enable Start layout control:
 
 The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
 
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 874a5657cc..7600808ed5 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -90,7 +90,7 @@ You can apply the customized Start layout with images for secondary tiles by usi
 
 In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
 
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 084263aadb..1775d6adb1 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -35,7 +35,7 @@
     - name: Plan
       items:
         - name: Plan for Windows 11
-          href: /windows/whats-new/windows-11-plan
+          href: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
         - name: Create a deployment plan
           href: update/create-deployment-plan.md
         - name: Define readiness criteria
@@ -72,7 +72,7 @@
     - name: Prepare
       items: 
         - name: Prepare for Windows 11
-          href: /windows/whats-new/windows-11-prepare
+          href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
         - name: Prepare to deploy Windows client updates
           href: update/prepare-deploy-windows.md
         - name: Evaluate and update infrastructure
diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md
index 114671fd5e..16badd2d4a 100644
--- a/windows/deployment/do/includes/get-azure-subscription.md
+++ b/windows/deployment/do/includes/get-azure-subscription.md
@@ -2,6 +2,7 @@
 author: amymzhou
 ms.author: amyzhou
 manager: dougeby
+ms.date: 10/18/2022
 ms.prod: w10
 ms.collection: M365-modern-desktop
 ms.topic: include
@@ -14,4 +15,4 @@ ms.localizationpriority: medium
 1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. 
 1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 
 1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. 
-1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. 
\ No newline at end of file
+1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. 
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index bc649af09d..0f0a693609 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -110,32 +110,3 @@ During the broad deployment phase, you should focus on the following activities:
 
 - Deploy to all devices in the organization.
 - Work through any final unusual issues that weren't detected in your Limited ring.
-
-
-## Ring deployment planning
-
-Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics.
-
-
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
-make informed decisions about the readiness of your Windows devices.
-
-In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest
-feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
-
-> [!IMPORTANT]
-> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity.
-
-### Deployment plan options
-
-There are two ways to implement a ring deployment plan, depending on how you manage your devices:
-
-- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
-- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
-
-For more about Desktop Analytics, see these articles:
-
-- [How to set up Desktop Analytics](/mem/configmgr/desktop-analytics/set-up)
-- [Tutorial: Deploy Windows 10 to Pilot](/mem/configmgr/desktop-analytics/tutorial-windows10)
-- [Desktop Analytics documentation](/mem/configmgr/desktop-analytics/overview)
-- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide)
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 2063dfd073..d7608bf6f1 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -221,7 +221,7 @@ The following truncated response displays:
 
 ## Approve driver content for deployment
 
-Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliance) for the policy.
+Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliancechange) for the policy.
 
 > [!IMPORTANT]
 > Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used.
@@ -277,7 +277,7 @@ Review all of the compliance changes to a policy with the most recent changes li
    ```
 
    > [!TIP]
-   > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/resources/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`.
+   > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`.
 
 To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`:
 
@@ -287,7 +287,7 @@ To retrieve the deployment ID, use the [expand parameter](/graph/query-parameter
 
 ### Edit deployment settings for a content approval
 
-Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/resources/windowsupdates--contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC:
+Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/windowsupdates-contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC:
 
 ```msgraph-interactive
 PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
@@ -304,11 +304,9 @@ content-type: application/json
 }
 ```
 
-
 ## Revoke content approval
 
-Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliance) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created.
-
+Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliancechange) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created.
 
 ```msgraph-interactive
 PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index e2f45c2ee4..ad489103a6 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -59,7 +59,7 @@ When you use [Windows Update for Business reports](wufb-reports-overview.md) in
 
 ## Permissions
 
-- [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
+- [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
   - Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions.
 
 > [!NOTE]
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
index 563163371b..23bbb2b2d9 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 
 The following permissions are needed for the queries listed in this article:
 
-- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations.
+- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations.
 - At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information.
 
 Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index ca1b4d103a..3b19cd934d 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
 ---
 <!--This file is shared by deployment-service-drivers.md, deployment-service-expedited-updates.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
 
-For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/windowsupdates-updates?view=graph-rest-beta&preserve-view=true) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/overview).
+For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/adminwindowsupdates) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/graph-explorer-overview).
 
 > [!WARNING]
 >
diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md
index cd8a433ab6..37caa47a4d 100644
--- a/windows/deployment/update/includes/wufb-reports-recommend.md
+++ b/windows/deployment/update/includes/wufb-reports-recommend.md
@@ -12,4 +12,4 @@ ms.localizationpriority: medium
 
 > [!Important]
 > - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology).
-> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/deployment/update/windows-diagnostic-data-processor-changes).
+> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 4d7cf5c662..b25c48f947 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -63,15 +63,3 @@ There is more than one way to choose devices for app validation:
 - **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
 - **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
 - **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
-
-
-### Desktop Analytics
-
-Desktop Analytics can make all of the tasks discussed in this article significantly easier:
-
-- Creating and maintaining an application and device inventory
-- Assign owners to applications for testing
-- Automatically apply your app classifications (critical, important, not important)
-- Automatically identify application compatibility risks and provide recommendations for reducing those risks
-
-For more information, see [What is Desktop Analytics?](/mem/configmgr/desktop-analytics/overview)
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 7d787fbeda..a6c241bac8 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -97,7 +97,7 @@ Enable update services on devices. Ensure that every device is running all the s
 - Windows Update
 - Windows Update Medic Service
 
-You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods.
+You can check these services manually by using Services.msc, or by using PowerShell scripts, or other methods.
 
 ### Network configuration
 
@@ -125,7 +125,7 @@ Set up [Delivery Optimization](../do/waas-delivery-optimization.md) for peer net
 
 ### Address unhealthy devices
 
-In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
+In the course of surveying your device population, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
 
 - **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
 
@@ -160,7 +160,7 @@ You can also create and run scripts to perform additional cleanup actions on dev
   net start msiserver
   ```
 
-- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
+- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
 
 - **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
 
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 14c94f5341..aab7607865 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -33,7 +33,7 @@ This article is specifically targeted at configuring devices enrolled to [Micros
 
 Take the following steps to create a configuration profile that will set required policies for Update Compliance:
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create a profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 1. For **Template name**, select **Custom**, and then press **Create**.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 693f8b440d..459f00de98 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -56,7 +56,6 @@ Update Compliance is offered as an Azure Marketplace application that is linked
 1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**.
 2. Select **Get it now**.
 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
-   - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
    - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
 4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
 
@@ -125,9 +124,5 @@ Once you've added Update Compliance to a workspace in your Azure subscription, y
 
 After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
 
-### Update Compliance and Desktop Analytics
-
-If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions. 
-
 
 
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index dd9bc872b4..b1c57166c3 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -41,11 +41,7 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
 
 ### Application compatibility
 
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows.
-
-
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](/mem/configmgr/desktop-analytics/ready-for-windows).
-
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. 
 
 ## Servicing
 
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index 1f773ef7d8..6dbfd4ac46 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -32,7 +32,7 @@ Create a configuration profile that will set the required policies for Windows U
 
 ### Settings catalog
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
@@ -57,7 +57,7 @@ Create a configuration profile that will set the required policies for Windows U
 
 ### Custom OMA URI-based profile
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 1. For **Template name**, select **Custom**, and then select **Create**.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index b01e97264d..b87a674b19 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -17,7 +17,7 @@ msreviewer: hathind
 There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
 
 > [!IMPORTANT]
-> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
+> You might have already added these contacts in the Microsoft Intune admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
 
 You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
 
@@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and
 
 **To add admin contacts:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
 1. Select **+Add**.
 1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a6540780aa..a61d9e9ad9 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -79,8 +79,12 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
             - Office Click-to-run
 - Last Intune device check in completed within the last 28 days.
 - Devices must have Serial Number, Model and Manufacturer.
-	> [!NOTE]
-	> Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+
+> [!NOTE]
+> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
 
 For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
 
@@ -140,7 +144,7 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID
 
 **To register devices with Windows Autopatch:**
 
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Devices**.
 4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
@@ -160,7 +164,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
 
 **To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:**
 
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. In the left pane, select **Devices**.
 1. Navigate to Provisioning > **Windows 365**.
 1. Select Provisioning policies > **Create policy**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 15b45c91d4..d8c0580d48 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de
 
 **To deregister a device:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Windows Autopatch** in the left navigation menu.
 1. Select **Devices**.
 1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
@@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon
 
 **To hide unregistered devices:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Windows Autopatch** in the left navigation menu.
 1. Select **Devices**.
 1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 79ff9e1b78..13ce62ec8d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -23,7 +23,7 @@ Support requests are triaged and responded to as they're received.
 
 **To submit a new support request:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
 1. In the **Windows Autopatch** section, select **Support requests**.
 1. In the **Support requests** section, select **+ New support request**.
 1. Enter your question(s) and/or a description of the problem.
@@ -57,7 +57,7 @@ You can see the summary status of all your support requests. At any time, you ca
 
 **To view all your active support requests:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Support request**.
 1. From this view, you can export the summary view or select any case to view the details.
 
@@ -67,7 +67,7 @@ You can edit support request details, for example, updating the primary case con
 
 **To edit support request details:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Support request**.
 1. In the **Support requests** section, use the search bar or filters to find the case you want to edit.
 1. Select the case to open the request's details.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 92e00968e2..d63adb541d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -71,7 +71,7 @@ If you want to move separate devices to different deployment rings, after Window
 
 **To move devices in between deployment rings:**
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
 2. In the **Windows Autopatch** section, select **Devices**.
 3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
 4. Select **Device actions** from the menu.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index eae276feaa..288a283c63 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -37,6 +37,9 @@ If a device is registered with Windows Autopatch, and the device is:
 - Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
 - On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
 
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
 ## Windows feature update policy configuration
 
 If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:
@@ -86,7 +89,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 
 **To pause or resume a Windows feature update:**
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Release management**.
 4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
index 1aeecfd623..ce2252c5e1 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
@@ -18,7 +18,7 @@ The historical All devices report provides a visual representation of the update
 
 **To view the historical All devices report:**
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **All devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
index beb945d17e..879934d3df 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
@@ -18,7 +18,7 @@ The All devices report provides a per device view of the current update status f
 
 **To view the All devices report:**
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **All devices report**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
index 9fc28bcbbb..b3a67ad7f2 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
@@ -24,7 +24,7 @@ Communications are posted to, as appropriate for the type of communication, to t
 
 - Message center
 - Service health dashboard
-- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center 
+- Windows Autopatch messages section of the Microsoft Intune admin center 
 
 :::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
 
@@ -38,7 +38,7 @@ Communications are posted to, as appropriate for the type of communication, to t
 
 ## Communications during release
 
-The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
+The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
 
 There are some circumstances where Autopatch will need to change the release schedule based on new information.
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
index 8b2577d48c..6476c5476e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
@@ -18,7 +18,7 @@ The historical Eligible devices report provides a visual representation of the u
 
 **To view the historical Eligible devices report:**
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **Eligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
index dbcc2d106f..0bee3e92dd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
@@ -21,7 +21,7 @@ The historical Ineligible devices report provides a visual representation of why
 
 **To view the historical Ineligible devices report:**
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **Ineligible devices report—historical**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 7ab913eb2c..5b7df79fdc 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates
 description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -33,6 +33,9 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
 | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Windows quality update releases
 
 Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
@@ -91,7 +94,7 @@ By default, the service expedites quality updates as needed. For those organizat
 
 **To turn off service-driven expedited quality updates:**
 
-1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
 2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
 
 > [!NOTE]
@@ -103,7 +106,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
 
 **To view deployed Out of Band quality updates:**
 
-1. Go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
 2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
 
 > [!NOTE]
@@ -123,7 +126,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 
 **To pause or resume a Windows quality update:**
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Release management**.
 4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
index 88f6e4ec66..b7301dd597 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -18,7 +18,7 @@ The Summary dashboard provides a summary view of the current update status for a
 
 **To view the current update status for all your enrolled devices:**
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 
 :::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 6e707c4ca8..7fb2f82094 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -38,10 +38,11 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 
 | Task | Your responsibility | Windows Autopatch |
 | ----- | :-----: | :-----: |
-| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager |  :heavy_check_mark: | :x: |
+| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune |  :heavy_check_mark: | :x: |
 | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
 | Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
 | Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies |  :heavy_check_mark: | :x: |
+| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: |
 | [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
 | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
 | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
@@ -56,7 +57,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 
 | Task | Your responsibility | Windows Autopatch |
 | ----- | :-----: | :-----: |
-| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
+| [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
 | [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
 | [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) |  :heavy_check_mark: | :x: |
 | [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
@@ -83,7 +84,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
 | [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
 | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
-| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality and feature update communications](../operate/windows-autopatch-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
+| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
 | [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: |
 | [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: |
 | [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index b091a73a97..a2e5b1c382 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
 > [!IMPORTANT]
 > You must be a Global Administrator to enroll your tenant.
 
-The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.  
+The Readiness assessment tool, accessed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.  
 
 ## Step 1: Review all prerequisites
 
@@ -37,7 +37,7 @@ The Readiness assessment tool checks the settings in [Microsoft Intune](#microso
 > [!IMPORTANT]
 > You must be a Global Administrator to run the Readiness assessment tool.
 
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
 
 > [!IMPORTANT]
@@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af
 
 **To delete the data we collect:**
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Navigate to Windows Autopatch > **Tenant enrollment**.
 3. Select **Delete all data**.
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 44447d5697..48f204bbf8 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -35,6 +35,6 @@ If you have a question about the case, the best way to get in touch is to reply
 
 **To view all your active tenant enrollment support requests:**
 
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
 1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 776fb296c0..cc8e865103 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -35,7 +35,7 @@ For each check, the tool will report one of four possible results:
 
 ## Microsoft Intune settings
 
-You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 ### Unlicensed admins
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5ff4c62390..b66883ee6d 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -44,12 +44,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
 
-The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
+The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
 
 - Windows 10 (1809+)/11 Pro
 - Windows 10 (1809+)/11 Enterprise
 - Windows 10 (1809+)/11 Pro for Workstations
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Configuration Manager co-management requirements
 
 Windows Autopatch fully supports co-management. The following co-management requirements apply:
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index 5155521cf1..59f23fbd84 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -14,7 +14,7 @@ msreviewer: hathind
 
 # Changes made at tenant enrollment
 
-The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service.
+The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service.
 
 > [!IMPORTANT]
 > The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
@@ -27,17 +27,19 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 | Enterprise application name | Usage | Permissions |
 | ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
+| Modern Workplace Management | The Modern Workplace Management application:<ul><li>Manages the service</li><li>Publishes baseline configuration updates</li><li>Maintains overall service health</li></ul> | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.ReadWrite.All</li></ul> |
 
 ### Service principal
 
-Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
+Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
 
 - Modern Workplace Customer APIs
 
 ## Azure Active Directory groups
 
-Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
+Windows Autopatch will create the required Azure Active Directory groups to operate the service.
+
+The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
 
 | Group name | Description |
 | ----- | ----- |
@@ -59,8 +61,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 
 | Policy name | Policy description | Properties | Value |
 | ----- | ----- | ----- | ----- |
-| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked |
-| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)</li><li>[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
+| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | <ul><li>MDM policy is used</li><li>GP policy is blocked</li></ul> |
+| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)</li><li>[Configure Telemetry Opt In Settings UX](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
 
 ## Deployment rings for Windows 10 and later
 
@@ -76,13 +78,13 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 | Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>6</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li>|
 | Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>9</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>5</li><li>2</li><li>False</li><li>False</li>|
 
-## Feature update policies
+## Windows feature update policies
 
 - Windows Autopatch - DSS Policy [Test]
 - Windows Autopatch - DSS Policy [First]
 - Windows Autopatch - DSS Policy [Fast]
 - Windows Autopatch - DSS Policy [Broad]
-- Windows Autopatch - DSS Policy [Windows 11]
+- Modern Workplace DSS Policy [Windows 11]
 
 | Policy name | Policy description | Value |
 | ----- | ----- | ----- |
@@ -90,7 +92,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 | Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
 | Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
 | Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
-| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
+| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
 
 ## Microsoft Office update policies
 
@@ -103,10 +105,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 | Policy name | Policy description | Properties | Value |
 | ----- | ----- | ----- | ----- |
 | Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li></ol> |
-| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled;Days(Device) == 0 days</li></li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
-| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled;Days(Device) == 0 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
-| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 3 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
-| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline<br>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Broad</li>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 7 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol> |
+| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled; `Days(Device) == 0 days`</li></li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
+| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled; `Days(Device) == 0 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
+| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled; `Days(Device) == 3 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
+| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline<br>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Broad</li>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled; `Days(Device) == 7 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol> |
 
 ## Microsoft Edge update policies
 
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index ceede02bef..747f5c18ae 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 01/31/2023
+ms.date: 02/22/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -24,9 +24,20 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
-| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the Microsoft Windows 10/11 diagnostic data section |
+| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) |
+| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) |
+| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) |
+| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
 | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
-| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the Built-in roles required for registration section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
+
+### February service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC517330](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Ability to opt out of Microsoft 365 App updates |
+| [MC517327](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned service maintenance downtime for European Union (EU) Windows Autopatch customers enrolled before November 8, 2022 |
 
 ## January 2023
 
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 7e8bbc7ba7..cf8a83e4a3 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -400,7 +400,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 ### Autopilot registration using Intune
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
 
     ![Intune device import.](images/enroll1.png)
 
@@ -456,7 +456,7 @@ Pick one:
 
 The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group:
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
 
 2. In the **Group** pane:
     1. For **Group type**, choose **Security**.
@@ -605,7 +605,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
 
 ### Delete (deregister) Autopilot device
 
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
 
 > [!div class="mx-imgBorder"]
 > ![Delete device step 1.](images/delete-device1.png)
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index aa9a8e5a92..34186301e4 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -233,9 +233,9 @@ additionalContent:
               url: /mem/endpoint-manager-overview
             - text: What is Microsoft Intune?
               url: /mem/intune/fundamentals/what-is-intune
-            - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
+            - text: Microsoft Intune services simplify upgrades to Windows 11
               url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
-            - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
+            - text: Understanding readiness for Windows 11 with Microsoft Intune services
               url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
             - text: Microsoft endpoint management blog
               url: https://aka.ms/memblog
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index c7c58e1c97..0e92139786 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/13/2018
 ms.topic: how-to
 ---
 
@@ -179,4 +180,4 @@ When resetting the size of your data history to a lower value, be sure to turn o
 
 ## Related Links
 - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
-- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?)
\ No newline at end of file
+- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index ad82dd742d..d94dfccb33 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 08d84ce2f3..e5c6bbb3a2 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 82c0da11c8..dc1df5efdf 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index f49ab2e417..2e0e69b856 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 0511791230..c1efb0d547 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 3c972e9333..01ea346024 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/04/2020
 ms.topic: conceptual
 ---
 
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 669941fd55..247eab8256 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/11/2016
 ms.collection: highpri
 ms.topic: conceptual
 ---
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 122f0717a3..ea7edc20e5 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/09/2018
 ms.collection: highpri
 ms.topic: how-to
 ---
@@ -172,4 +173,4 @@ The **Review problem reports** tool opens, showing you your Windows Error Report
 
 - Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer.
 
-**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
\ No newline at end of file
+**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 01d4412ac3..4810a1dd57 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 10/12/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index f111d92f7a..fb53b23a7e 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/28/2021
 ms.collection: highpri
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index d3e9576785..5494398cf6 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/15/2019
 ms.topic: conceptual
 ---
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f1c14f475f..f83a2778dc 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/07/2016
 ms.collection: highpri
 ms.topic: conceptual
 ---
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 9de85e40cf..37ab742b30 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 0bd15bbb50..4f20129c27 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
@@ -495,4 +496,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 20e9fec7fb..d83acf0faf 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 1903
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index bfbd385697..71a9674bfc 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 1909
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index a95f038a8d..9e492fa5e4 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 2004
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index c292c6f1ed..dbce1a6460 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 0e47b473b6..9292ba3890 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 49eb5a3b58..423e60aac0 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 1665c4605a..62bff63b9e 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -8,6 +8,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 08/26/2022
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 3deb6ead41..4ef29c2463 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/28/2020
 ms.collection: highpri
 ms.topic: reference
 ---
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 1fba0d455b..8b787d70e3 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/28/2020
 ms.collection: highpri
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 0dc8c28071..c981c76fa6 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/20/2019
 ms.topic: conceptual
 ---
 
@@ -251,4 +252,4 @@ An administrator can configure privacy-related settings, such as choosing to onl
 * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) 
 * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
 * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
-* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
\ No newline at end of file
+* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 480e474f63..7b46179c9d 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 11 connection endpoints for non-Enterprise editions
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index f4777d4afa..164bc33b67 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/31/2017
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 04381116ab..63ed56d1a2 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/31/2017
 ms.collection: highpri
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index 692ea4127b..85910f867e 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/29/2018
 ms.topic: reference
 ---
 # Windows 10, version 1809, connection endpoints for non-Enterprise editions
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index cffad0f0e4..544fdaf06d 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/29/2018
 ms.topic: reference
 ---
 
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 364bbda151..6ff9f92fef 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 07/20/2020
 ms.topic: reference
 ---
 # Windows 10, version 1909, connection endpoints for non-Enterprise editions
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index 72c2c99868..095cbad7b5 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/11/2020
 ms.topic: reference
 ---
 # Windows 10, version 2004, connection endpoints for non-Enterprise editions
@@ -195,4 +196,3 @@ The following methodology was used to derive the network endpoints:
 |www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service
 |www.msftconnecttest.com|HTTP|Network Connection (NCSI)
 |www.office.com|HTTPS|Microsoft Office
-
diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
index a909428902..7980832e2b 100644
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 10, version 20H2, connection endpoints for non-Enterprise editions
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
index 379e4110bc..d168f6790d 100644
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 10, version 21H1, connection endpoints for non-Enterprise editions
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index 27db0f26ae..6d99441988 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:<b
 | Service type | Description |
 |:---|:---|
 | Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
 | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
 | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.<br/><br/>With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.<br/><br/>To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
 
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index ceef5206ad..54f2278102 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -77,6 +77,16 @@
         "identity-protection/hello-for-business/*.md": "erikdau",
         "identity-protection/credential-guard/*.md": "zwhittington",
         "identity-protection/access-control/*.md": "sulahiri"
+      },
+      "ms.collection":{
+        "identity-protection/hello-for-business/*.md": "tier1",
+        "information-protection/bitlocker/*.md": "tier1",
+        "information-protection/personal-data-encryption/*.md": "tier1",
+        "information-protection/pluton/*.md": "tier1",
+        "information-protection/tpm/*.md": "tier1",
+        "threat-protection/auditing/*.md": "tier3",
+        "threat-protection/windows-defender-application-control/*.md": "tier3",
+        "threat-protection/windows-firewall/*.md": "tier3"
       }
     },
     "template": [],
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 262ed05694..781c1f164d 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -1,7 +1,6 @@
 ---
 title: Encryption and data protection in Windows
 description: Get an overview encryption and data protection in Windows 11 and Windows 10
-search.appverid: MET150
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: overview
 ms.date: 09/22/2022
 ms.prod: windows-client
 ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection: 
-ms.custom: 
 ms.reviewer: rafals
 ---
 
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0f1ca8d5c4..4ddce5cb4e 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi
 
 This content set contains:
 
-- [Dynamic Access Control Overview](dynamic-access-control.md)
-- [Security identifiers](security-identifiers.md)
-- [Security Principals](security-principals.md)
+- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview)
+- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals)
   - [Local Accounts](local-accounts.md)
-  - [Active Directory Accounts](active-directory-accounts.md)
-  - [Microsoft Accounts](microsoft-accounts.md)
-  - [Service Accounts](service-accounts.md)
-  - [Active Directory Security Groups](active-directory-security-groups.md)
+  - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts)
+  - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts)
+  - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
+  - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
 ## Practical applications
 
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
deleted file mode 100644
index fb60cd5599..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png
deleted file mode 100644
index 93e5e8e098..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png
deleted file mode 100644
index 7aad6b6a7b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png
deleted file mode 100644
index 2b6c1394b9..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png
deleted file mode 100644
index 65508e5cf4..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png
deleted file mode 100644
index 4653a66f29..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png
deleted file mode 100644
index b4e379a357..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png
deleted file mode 100644
index c725fd4f55..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png
deleted file mode 100644
index 999303a2d6..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png
deleted file mode 100644
index 412f425ccf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png
deleted file mode 100644
index b2f6d3e1e2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png
deleted file mode 100644
index 8dda5403cf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png
deleted file mode 100644
index e96b26abe1..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif
deleted file mode 100644
index d8a4d99dd2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif
deleted file mode 100644
index f76182ee25..0000000000
Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png
deleted file mode 100644
index e70fa02c92..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png
deleted file mode 100644
index 085993f92c..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png
deleted file mode 100644
index 282cdb729d..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png
deleted file mode 100644
index 89fc916400..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png
deleted file mode 100644
index d8d5af1336..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png
deleted file mode 100644
index ba3f15f597..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png
deleted file mode 100644
index 2d44e29e1b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png
deleted file mode 100644
index 89136d1ba0..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png
deleted file mode 100644
index f2d3a7596b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg
deleted file mode 100644
index cd7d341065..0000000000
Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 5a35d2853f..f6baab162b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal
 ms.date: 12/05/2022
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index ebee2bafa4..a4f523f78b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -4,6 +4,7 @@ description: Learn how to deploy and manage Windows Defender Credential Guard us
 ms.date: 11/23/2022
 ms.collection:
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -66,7 +67,7 @@ To enforce processing of the group policy, you can run `gpupdate /force`.
 
 ### Enable Windows Defender Credential Guard by using Microsoft Intune
 
-1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
 
 1. Select **Configuration Profiles**.
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
deleted file mode 100644
index 5051ce94cd..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ /dev/null
@@ -1,494 +0,0 @@
----
-title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
-ms.date: 11/22/2022
-ms.topic: reference
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
----
-
-# Windows Defender Credential Guard: scripts for certificate authority issuance policies
-
-Expand each section to see the PowerShell scripts:
-
-<br>
-<details>
-<summary><b>Get the available issuance policies on the certificate authority</b></summary>
-
-Save this script file as get-IssuancePolicy.ps1.
-
-```powershell
-#######################################
-##     Parameters to be defined      ##
-##     by the user                   ##
-#######################################
-Param (
-$Identity,
-$LinkedToGroup
-)
-#######################################
-##     Strings definitions           ##
-#######################################
-Data getIP_strings {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
-help2 = Usage:
-help3 = The following parameter is mandatory:
-help4 = -LinkedToGroup:<yes|no|all>
-help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
-help6 = "no" will return only Issuance Policies that are not currently linked to any group.
-help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
-help8 = The following parameter is optional:
-help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
-help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
-help11 = Examples:
-errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
-ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
-ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
-ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
-LinkedIPs = The following Issuance Policies are linked to groups:
-displayName = displayName : {0}
-Name = Name : {0}
-dn = distinguishedName : {0}
-        InfoName = Linked Group Name: {0}
-        InfoDN = Linked Group DN: {0}   
-NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
-'@
-}
-##Import-LocalizedData getIP_strings
-import-module ActiveDirectory
-#######################################
-##           Help                    ##
-#######################################
-function Display-Help {
-    ""
-    $getIP_strings.help1
-    ""
-$getIP_strings.help2
-""
-$getIP_strings.help3
-"     " + $getIP_strings.help4
-"             " + $getIP_strings.help5
-    "             " + $getIP_strings.help6
-    "             " + $getIP_strings.help7
-""
-$getIP_strings.help8
-    "     " + $getIP_strings.help9
-    ""
-    $getIP_strings.help10
-""
-""    
-$getIP_strings.help11
-    "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
-    "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
-    "     " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
-""
-}
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-$configNCDN = [String]$root.configurationNamingContext
-if ( !($Identity) -and !($LinkedToGroup) ) {
-display-Help
-break
-}
-if ($Identity) {
-    $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
-    if ($OIDs -eq $null) {
-$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
-write-host $errormsg -ForegroundColor Red
-    }
-    foreach ($OID in $OIDs) {
-        if ($OID."msDS-OIDToGroupLink") {
-# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
-            $groupDN = $OID."msDS-OIDToGroupLink"
-            $group = get-adgroup -Identity $groupDN
-    $groupName = $group.Name
-# Analyze the group
-            if ($group.groupCategory -ne "Security") {
-$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
-                write-host $errormsg -ForegroundColor Red
-            }
-            if ($group.groupScope -ne "Universal") {
-                $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
-            }
-            $members = Get-ADGroupMember -Identity $group
-            if ($members) {
-                $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
-                foreach ($member in $members) {
-                    write-host "          "  $member -ForeGroundColor Red
-                }
-            }
-        }
-    }
-    return $OIDs
-    break
-}
-if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
-    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
-    $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
-    write-host "*****************************************************"
-    write-host $getIP_strings.LinkedIPs
-    write-host "*****************************************************"
-    write-host ""
-    if ($LinkedOIDs -ne $null){
-      foreach ($OID in $LinkedOIDs) {
-# Display basic information about the Issuance Policies
-          ""
-  $getIP_strings.displayName -f $OID.displayName
-  $getIP_strings.Name -f $OID.Name
-  $getIP_strings.dn -f $OID.distinguishedName
-# Get the linked group.
-          $groupDN = $OID."msDS-OIDToGroupLink"
-          $group = get-adgroup -Identity $groupDN
-          $getIP_strings.InfoName -f $group.Name
-          $getIP_strings.InfoDN -f $groupDN
-# Analyze the group
-          $OIDName = $OID.displayName
-    $groupName = $group.Name
-          if ($group.groupCategory -ne "Security") {
-          $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-          }
-          if ($group.groupScope -ne "Universal") {
-          $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-          }
-          $members = Get-ADGroupMember -Identity $group
-          if ($members) {
-          $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-              foreach ($member in $members) {
-                  write-host "          "  $member -ForeGroundColor Red
-              }
-          }
-          write-host ""
-      }
-    }else{
-write-host "There are no issuance policies that are mapped to a group"
-    }
-    if ($LinkedToGroup -eq "yes") {
-        return $LinkedOIDs
-        break
-    }
-}    
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
-    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
-    $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
-    write-host "*********************************************************"
-    write-host $getIP_strings.NonLinkedIPs
-    write-host "*********************************************************"
-    write-host ""
-    if ($NonLinkedOIDs -ne $null) {
-      foreach ($OID in $NonLinkedOIDs) {
-# Display basic information about the Issuance Policies
-write-host ""
-$getIP_strings.displayName -f $OID.displayName
-$getIP_strings.Name -f $OID.Name
-$getIP_strings.dn -f $OID.distinguishedName
-write-host ""
-      }
-    }else{
-write-host "There are no issuance policies which are not mapped to groups"
-    }
-    if ($LinkedToGroup -eq "no") {
-        return $NonLinkedOIDs
-        break
-    }
-}
-```
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-</details>
-
-<br>
-<details>
-<summary><b>Link an issuance policy to a group</b></summary>
-
-Save the script file as set-IssuancePolicyToGroupLink.ps1.
-
-```powershell
-#######################################
-##     Parameters to be defined      ##
-##     by the user                   ##
-#######################################
-Param (
-$IssuancePolicyName,
-$groupOU,
-$groupName
-)
-#######################################
-##     Strings definitions           ##
-#######################################
-Data ErrorMsg {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
-help2 = Usage:
-help3 = The following parameters are required:
-help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
-help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
-help6 = The following parameter is optional:
-help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
-help8 = Examples:
-help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
-help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
-MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
-NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
-IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
-MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
-confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
-OUCreationSuccess = Organizational Unit "{0}" successfully created.
-OUcreationError = Error: Organizational Unit "{0}" could not be created.
-OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
-confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
-groupCreationSuccess = Univeral Security group "{0}" successfully created.
-groupCreationError = Error: Univeral Security group "{0}" could not be created.
-GroupFound = Group "{0}" was successfully found.
-confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
-UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
-UnlinkError = Removing the link failed.
-UnlinkExit = Exiting without removing the link from the issuance policy to the group.
-IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
-ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
-ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
-ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
-ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
-LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
-LinkError = The certificate issuance policy could not be linked to the specified group.
-ExitNoLinkReplacement = Exiting without setting the new link.
-'@
-}
-# import-localizeddata ErrorMsg
-function Display-Help {
-""
-write-host $ErrorMsg.help1
-""
-write-host $ErrorMsg.help2
-""
-write-host $ErrorMsg.help3
-write-host "`t" $ErrorMsg.help4
-write-host "`t" $ErrorMsg.help5
-""
-write-host $ErrorMsg.help6
-write-host "`t" $ErrorMsg.help7
-""
-""
-write-host $ErrorMsg.help8
-""
-write-host $ErrorMsg.help9
-".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
-""
-write-host $ErrorMsg.help10
-'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
-""
-}
-# Assumption:  The group to which the Issuance Policy is going
-#              to be linked is (or is going to be created) in
-#              the domain the user running this script is a member of.
-import-module ActiveDirectory
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-if ( !($IssuancePolicyName) ) {
-display-Help
-break
-}
-#######################################
-##     Find the OID object           ##
-##     (aka Issuance Policy)         ##
-#######################################
-$searchBase = [String]$root.configurationnamingcontext
-$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
-if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
-write-host $tmp -ForeGroundColor Red
-break;
-}
-else {
-$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
-write-host $tmp -ForeGroundColor Green
-}
-#######################################
-##  Find the container of the group  ##
-#######################################
-if ($groupOU -eq $null) {
-# default to the Users container
-$groupContainer = $domain.UsersContainer
-}
-else {
-$searchBase = [string]$domain.DistinguishedName
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-if ($groupContainer.count -gt 1) {
-$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
-write-host $tmp -ForegroundColor Red
-break;
-}
-elseif ($groupContainer -eq $null) {
-$tmp = $ErrorMsg.confirmOUcreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
-if ($?){
-$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
-write-host $tmp -ForegroundColor Green
-}
-else{
-$tmp = $ErrorMsg.OUCreationError -f $groupOU
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
-write-host $tmp -ForegroundColor Green
-}
-}
-#######################################
-##  Find the group               ##
-#######################################
-if (($groupName -ne $null) -and ($groupName -ne "")){
-##$searchBase = [String]$groupContainer.DistinguishedName
-$searchBase = $groupContainer
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-if ($group -ne $null -and $group.gettype().isarray) {
-$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($group -eq $null) {
-$tmp = $ErrorMsg.confirmGroupCreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
-if ($?){
-$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
-write-host $tmp -ForegroundColor Green
-}else{
-$tmp = $ErrorMsg.groupCreationError -f $groupName
-write-host $tmp -ForeGroundColor Red
-break
-}
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.GroupFound -f $group.Name
-write-host $tmp -ForegroundColor Green
-}
-}
-else {
-#####
-## If the group is not specified, we should remove the link if any exists
-#####
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
-if ($?) {
-$tmp = $ErrorMsg.UnlinkSuccess
-write-host $tmp -ForeGroundColor Green
-}else{
-$tmp = $ErrorMsg.UnlinkError
-write-host $tmp -ForeGroundColor Red
-}
-}
-else {
-$tmp = $ErrorMsg.UnlinkExit
-write-host $tmp
-break
-}
-}
-else {
-$tmp = $ErrorMsg.IPNotLinked
-write-host $tmp -ForeGroundColor Yellow
-}
-break;
-}
-#######################################
-##  Verify that the group is         ##
-##  Universal, Security, and         ##
-##  has no members                   ##
-#######################################
-if ($group.GroupScope -ne "Universal") {
-$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-if ($group.GroupCategory -ne "Security") {
-$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$members = Get-ADGroupMember -Identity $group
-if ($members -ne $null) {
-$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-foreach ($member in $members) {write-host "   $member.name" -ForeGroundColor Red}
-break;
-}
-#######################################
-##  We have verified everything. We  ##
-##  can create the link from the     ##
-##  Issuance Policy to the group.    ##
-#######################################
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
-write-host $tmp  "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Replace $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-} else {
-$tmp = $Errormsg.ExitNoLinkReplacement
-write-host $tmp
-break
-}
-}
-else {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Add $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-}
-```
-
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-</details>
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 6548d02f17..0ab05c22ab 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -5,6 +5,7 @@ ms.date: 11/22/2022
 ms.topic: article
 ms.collection: 
   - highpri
+  - tier2
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 33c5c76b9f..a82f25aa93 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -267,7 +267,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
         <ipv4DnsServer>10.10.0.1</ipv4DnsServer>
         <ipv4DnsServer>10.10.0.2</ipv4DnsServer>
         <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    </signal> 
 </rule>
 ```
 
@@ -280,12 +280,12 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
 
 ```xml
 <rule schemaVersion="1.0"> 
-	<signal type="ipConfig"> 
-	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    <signal type="ipConfig"> 
+        <dnsSuffix>corp.contoso.com</dnsSuffix> 
+    </signal> 
 </rule>,
 <rule schemaVersion="1.0">
-	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 25100512b3..fa405ca079 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -49,7 +49,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning
 
 The following method explains how to disable Windows Hello for Business enrollment using Intune.
 
-1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index b7b06e3193..299c09d7f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c9bc5a12f3..e6a01bb2b8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index a73ef3f3f2..5d92d9dcb7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 12/12/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 64b6af4819..22f170e86e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic:
 - [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 424f82c737..8896bacc2b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in
 description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
 ms.collection: 
   - ContentEngagementFY23
+  - tier1
 ms.topic: article
 ms.date: 11/15/2022
 appliesto: 
@@ -105,7 +106,7 @@ Once these requirements are met, a policy can be configured in Intune that provi
 
 This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Intune admin center</b></a>
 1. Select **Devices > Configuration profiles > Create profile**
 1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
 1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index c853063c26..8888488586 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -2,8 +2,11 @@
 metadata:
   title: Windows Hello for Business Frequently Asked Questions (FAQ)
   description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
+  author: paolomatarazzo
+  ms.author: paoloma
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 01/06/2023
   appliesto: 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index adfbe58657..d6d35b189a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -76,5 +76,5 @@ The computer is ready for dual enrollment.  Sign in as the privileged user first
 * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 * [Windows Hello and password changes](hello-and-password-changes.md)
 * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 6bae92fc12..9f461f9697 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -55,5 +55,5 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
 * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 * [Windows Hello and password changes](hello-and-password-changes.md)
 * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index e1aa2e7acb..7b1fdf338f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -3,6 +3,7 @@ title: Pin Reset
 description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 07/29/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -128,7 +129,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI
 
 You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Configuration profiles** > **Create profile**.
 1. Enter the following properties:
     - **Platform**: Select **Windows 10 and later**.
@@ -150,7 +151,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
 
 >[!NOTE]
 > You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 > 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
@@ -231,7 +232,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 
 ### Configure Web Sign-in Allowed URLs using Microsoft Intune
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 1. Select **Devices** > **Configuration profiles** > **Create profile**
 1. Enter the following properties:
     - **Platform**: Select **Windows 10 and later**
@@ -265,5 +266,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 2281821bdc..2f1c460668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -5,6 +5,8 @@ ms.date: 02/24/2021
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ms.topic: article
+ms.collection:
+  - tier1
 ---
 
 # Remote Desktop
@@ -56,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 7bec9c2543..b3765851fa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
 
 ### More information on cloud experience host
 
-[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
+[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works)
 
 ## Cloud Kerberos trust
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 9f3670151c..40e094e6c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2cc6e81fff..fbed200f77 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -14,7 +14,7 @@ ms.topic: how-to
 If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
 
 > [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
 
 Steps you'll perform include:
 
@@ -848,7 +848,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices**, and then select **Configuration Profiles**.
 
@@ -901,7 +901,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign-in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices**, and then select **Configuration Profiles**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 22d0a585f9..d0aa2590f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -242,7 +242,7 @@ The domain controllers have a certificate that includes the new CRL distribution
 
 To configure devices with Microsoft Intune, use a custom policy:
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Intune admin center</b></a>
 1. Select **Devices > Configuration profiles > Create profile**
 1. Select **Platform > Windows 8.1 and later** and **Profile type > Trusted certificate**
 1. Select **Create**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 205970b978..a1a88d6f2e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -119,12 +119,12 @@ There are different ways to enable and configure Windows Hello for Business in I
 
 To check the Windows Hello for Business policy applied at enrollment time:
 
-1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
 
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
 
 If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
 
@@ -132,7 +132,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
 
 To configure Windows Hello for Business using an *account protection* policy:
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Endpoint security** > **Account protection**
 1. Select **+ Create Policy**
 1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -147,7 +147,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-cert-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png":::
 
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 80f86ef481..9d45b8bed7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete:
 > - Update group memberships for the AD FS service account
 
 > [!div class="nextstepaction"]
-> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
\ No newline at end of file
+> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index ce118ce681..ad3834ab87 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -98,7 +98,7 @@ If you already enabled Windows Hello for Business, you can skip to **configure t
 
 You can also follow these steps to create a device configuration policy instead of using the device enrollment policy:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
 1. For Platform, select **Windows 10 and later**.
 1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
@@ -116,7 +116,7 @@ Windows Hello for Business settings are also available in the settings catalog.
 
 To configure the cloud Kerberos trust policy, follow the steps below:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
 1. For Profile Type, select **Templates** and select the **Custom** Template.
 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index a165084a61..73c27e5835 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -35,12 +35,12 @@ There are different ways to enable and configure Windows Hello for Business in I
 
 To check the Windows Hello for Business policy applied at enrollment time:
 
-1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured
 
-:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png":::
+:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png":::
 
 If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy.
 
@@ -48,7 +48,7 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip
 
 To configure Windows Hello for Business using an *account protection* policy:
 
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Endpoint security** > **Account protection**
 1. Select **+ Create Policy**
 1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection**
@@ -62,7 +62,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Endpoint Manager admin center using an account protection policy." border="true" lightbox="images/whfb-intune-account-protection-enable.png":::
+:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png":::
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index e1ed3396b6..518283865d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.collection: 
 - highpri
+- tier1
 ms.date: 12/13/2022
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 8c3bfe995d..e666aa4beb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows)
 description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 2/15/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 48c16385f3..d6e6de308d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows)
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 appliesto: 
   - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -110,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c3c5912b26..f3e0b27534 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
 
 The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 
 > [!NOTE]
 > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 69e4a380e5..0efcd603a1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 89fe8f84ce..6b65c109d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows)
 description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 10/23/2017
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -81,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png
deleted file mode 100644
index 50029cc00e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png
deleted file mode 100644
index 93085b03a8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png
deleted file mode 100644
index 88aaf424f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png
deleted file mode 100644
index 3d547d05fc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png
deleted file mode 100644
index d98d871f21..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png
deleted file mode 100644
index caacf8a566..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png
deleted file mode 100644
index 226f85eeb0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png
deleted file mode 100644
index 067c109808..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png
deleted file mode 100644
index f2c38239f3..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png
deleted file mode 100644
index 74cea5f0b5..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png
deleted file mode 100644
index e95fd1b9ba..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png
deleted file mode 100644
index c973e43aec..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png
deleted file mode 100644
index 70aaa2db9d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png
deleted file mode 100644
index eadf1eb285..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png
deleted file mode 100644
index 56cced034f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png
deleted file mode 100644
index e4e4555942..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png
deleted file mode 100644
index 390bfecafd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png
deleted file mode 100644
index a136973f04..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png
deleted file mode 100644
index c78baecd49..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png
deleted file mode 100644
index 96fe45bbcf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png
deleted file mode 100644
index 004d3a3f25..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png
deleted file mode 100644
index 9d66d330fd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png
deleted file mode 100644
index dea61f116e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png
deleted file mode 100644
index 831e12fe59..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png
deleted file mode 100644
index 21f4159d80..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png
deleted file mode 100644
index 49c4dee983..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
deleted file mode 100644
index c2a4f36704..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png
deleted file mode 100644
index 0ec08ecbc0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png
deleted file mode 100644
index 46db47b6f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png
deleted file mode 100644
index 91e079feca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png
deleted file mode 100644
index 85bc6491cf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png
deleted file mode 100644
index 7f0be5249d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png
deleted file mode 100644
index 72c94fb321..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png
deleted file mode 100644
index 64f85b1f54..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png
deleted file mode 100644
index 6894047f98..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
deleted file mode 100644
index 3167588d7b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png
deleted file mode 100644
index 611bbfad70..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png
deleted file mode 100644
index b74cf682ac..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png
deleted file mode 100644
index 5643cecec0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png
deleted file mode 100644
index c6750396dd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
deleted file mode 100644
index 8b003013f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
deleted file mode 100644
index 44bbc4a572..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png
deleted file mode 100644
index df7973e2ca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png
deleted file mode 100644
index eb3458bf76..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png
deleted file mode 100644
index 6011b3c66e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png
deleted file mode 100644
index ac1752b75b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png
deleted file mode 100644
index 2835e56049..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png
deleted file mode 100644
index 4874ca4516..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png
deleted file mode 100644
index c6572cbd5a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png
deleted file mode 100644
index 3a72066a31..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png
deleted file mode 100644
index c3754b5389..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png
deleted file mode 100644
index 97db24c262..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png
deleted file mode 100644
index 80f9d53d2c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png
deleted file mode 100644
index 97ad2a1bfb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png
deleted file mode 100644
index b7086b9b79..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
deleted file mode 100644
index 174cf0a790..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
deleted file mode 100644
index 028f06544c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
deleted file mode 100644
index 322a4fcbdc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
deleted file mode 100644
index f86101b1e8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
deleted file mode 100644
index d9acfd8170..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
deleted file mode 100644
index 21d37405a7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
deleted file mode 100644
index a5b340a3f8..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
deleted file mode 100644
index b637be9beb..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 0c6b760604..75e29c597a 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -16,6 +16,7 @@ metadata:
   ms.date: 01/22/2021
   ms.collection:
     - highpri
+    - tier1
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
 
diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png
deleted file mode 100644
index b4b883db90..0000000000
Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png
deleted file mode 100644
index d8e3598dc9..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png
deleted file mode 100644
index 0da610c368..0000000000
Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 2876ab9e18..63c2e03d67 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -7,6 +7,7 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 01/12/2018
@@ -51,12 +52,12 @@ Use the following table to compare different Remote Desktop connection security
 
 | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
 |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server                                                                                   |
+|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server                                                                                   |
 |                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
 | **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; |                             &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                              |                   <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>                   |                                                                                                                <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>                                                                                                                |
 |                             **Credentials supported from the remote desktop client device**                              | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> |                                  <ul><li> <b>Signed on</b> credentials only                                  |                                                                                        <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul>                                                                                         |
 |                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
-|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host’s identity**.                                                                                                                 |
+|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host's identity**.                                                                                                                 |
 |                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
 |                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
 
@@ -71,7 +72,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c
 
 ## Remote Desktop connections and helpdesk support scenarios
 
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
+For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
 
 Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
 
@@ -90,7 +91,7 @@ The Remote Desktop client device:
 
 -  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
 
--  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
 
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 
@@ -100,7 +101,7 @@ The Remote Desktop remote host:
 
 -  Must be running at least Windows 10, version 1607 or Windows Server 2016.
 -  Must allow Restricted Admin connections.
--  Must allow the client’s domain user to access Remote Desktop connections.
+-  Must allow the client's domain user to access Remote Desktop connections.
 -  Must allow delegation of non-exportable credentials.
 
 There are no hardware requirements for Windows Defender Remote Credential Guard.
@@ -182,7 +183,7 @@ mstsc.exe /remoteGuard
 
 ## Considerations when using Windows Defender Remote Credential Guard
 
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
 
 - Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 3c1b301625..10b6bda518 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -8,6 +8,7 @@ ms.reviewer: ardenw
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/24/2021
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index a968914652..8037f68045 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -3,6 +3,7 @@ title: How User Account Control works (Windows)
 description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index f3c8c14d4e..979a7ae1f1 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -3,6 +3,7 @@ title: User Account Control Group Policy and registry key settings (Windows)
 description: Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 04/19/2017
 appliesto: 
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 35851d61af..93502be3e3 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -3,6 +3,7 @@ title: User Account Control (Windows)
 description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 09/24/2011
 appliesto: 
diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png
deleted file mode 100644
index b229c96b68..0000000000
Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png
deleted file mode 100644
index 9f4efabc3f..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png
deleted file mode 100644
index 4224979bbd..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png
deleted file mode 100644
index 7277b7a598..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index d5725508e4..a6330f4ad8 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -295,9 +295,9 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
 
 ## Apply ProfileXML using Intune
 
-After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
+After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png
deleted file mode 100644
index 62aaa46f8d..0000000000
Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ
diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/security/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg
deleted file mode 100644
index ab2d5152ca..0000000000
--- a/windows/security/images/icons/powershell.svg
+++ /dev/null
@@ -1,20 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#32bedd" />
-      <stop offset="0.175" stop-color="#32caea" />
-      <stop offset="0.41" stop-color="#32d2f2" />
-      <stop offset="0.775" stop-color="#32d4f5" />
-    </linearGradient>
-  </defs>
-  <title>MsPortalFx.base.images-10</title>
-  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
-    <g>
-      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
-      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
-      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
-      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
-      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
-    </g>
-  </g>
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
deleted file mode 100644
index dbbad7d780..0000000000
--- a/windows/security/images/icons/provisioning-package.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
-  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/security/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#76bc2d" />
-      <stop offset="0.32" stop-color="#73b82c" />
-      <stop offset="0.65" stop-color="#6cab29" />
-      <stop offset="0.99" stop-color="#5e9724" />
-      <stop offset="1" stop-color="#5e9624" />
-    </linearGradient>
-    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#0078d4" />
-      <stop offset="0.17" stop-color="#1c84dc" />
-      <stop offset="0.38" stop-color="#3990e4" />
-      <stop offset="0.59" stop-color="#4d99ea" />
-      <stop offset="0.8" stop-color="#5a9eee" />
-      <stop offset="1" stop-color="#5ea0ef" />
-    </linearGradient>
-  </defs>
-  <title>Icon-general-18</title>
-  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
-  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png
deleted file mode 100644
index a598365cb7..0000000000
Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ
diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png
deleted file mode 100644
index e062b0d292..0000000000
Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
deleted file mode 100644
index f928705138..0000000000
--- a/windows/security/includes/improve-request-performance.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!TIP]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.microsoft.com
-> - api-eu.securitycenter.microsoft.com
-> - api-uk.securitycenter.microsoft.com
diff --git a/windows/security/includes/intune-custom-settings-info.md b/windows/security/includes/intune-custom-settings-info.md
deleted file mode 100644
index 9509d5b13d..0000000000
--- a/windows/security/includes/intune-custom-settings-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-1.md b/windows/security/includes/intune-settings-catalog-1.md
deleted file mode 100644
index 2ddfc8d6b6..0000000000
--- a/windows/security/includes/intune-settings-catalog-1.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-To configure devices with Microsoft Intune, use the settings catalog:
-
-  > [!TIP]
-  > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_Workflows/SettingsCatalogWizardBlade/mode/create/platform/Windows%2010%20and%20later/policyType/SettingsCatalogWindows10" target="_blank"><b>create a Settings catalog policy</b></a> (opens in a new tab).
-
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description** > **Next**
-6. In the settings picker, add the following settings:
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-2.md b/windows/security/includes/intune-settings-catalog-2.md
deleted file mode 100644
index 9558ed41a7..0000000000
--- a/windows/security/includes/intune-settings-catalog-2.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-7. Select **Next**
-8. Optionally, add *scope tags* > **Next**
-9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-info.md b/windows/security/includes/intune-settings-catalog-info.md
deleted file mode 100644
index 8387d702ff..0000000000
--- a/windows/security/includes/intune-settings-catalog-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog).
\ No newline at end of file
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
deleted file mode 100644
index d4b4560d8f..0000000000
--- a/windows/security/includes/machineactionsnote.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint.
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
deleted file mode 100644
index 0b0b2be701..0000000000
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!NOTE]
->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api).
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
deleted file mode 100644
index bd9a8d2c0d..0000000000
--- a/windows/security/includes/microsoft-defender.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
deleted file mode 100644
index c0212561bd..0000000000
--- a/windows/security/includes/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 2aa8f670fe..ce7aece4b4 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -11,6 +11,7 @@ metadata:
   ms.technology: itpro-security
   ms.collection:
     - highpri
+    - tier1
   author: paolomatarazzo
   ms.author: paoloma
   ms.date: 12/19/2022
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index b917a468f8..daa9cba013 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 32a6c0816b..bc4ad1b106 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -90,17 +90,17 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne
 
 ### Protecting Thunderbolt and other DMA ports
 
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
+There are a few different options to protect DMA ports, such as Thunderbolt&trade;3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt&trade; 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
 
 You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
 
 ![Kernel DMA protection.](images/kernel-dma-protection.png)
 
-If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
+If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt&trade; 3 enabled ports:
 
 1. Require a password for BIOS changes
 
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
+2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
 
 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
 
@@ -141,7 +141,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
 
 ### Tricking BitLocker to pass the key to a rogue operating system
 
-An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
  
 An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index bb9df0cf68..e922e90f32 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,7 +34,7 @@ This article depicts the BitLocker deployment comparison chart.
 |*Cloud or on premises*      |     Cloud    |  On premises     |    On premises     |
 |Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
 |*Additional agent required?*     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
-|*Administrative plane*     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
+|*Administrative plane*     | Microsoft Intune admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
 |*Administrative portal installation required*     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
 |*Compliance reporting capabilities*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
 |*Force encryption*     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 811287a4d3..c0f495b8a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -8,6 +8,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 24016c5ca6..4f7256eadb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 38d6bcb2f9..8b776366c3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 8398ff5cb5..3243fdb178 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 5cc2a4ae6c..a3b7a72ca1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -8,6 +8,7 @@ author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 495549c66c..39eb80e0aa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -10,6 +10,7 @@ ms.reviewer: rafals
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
deleted file mode 100644
index 11ce21de12..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Breaking out of a BitLocker recovery loop
-description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: 
-  - highpri
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# Breaking out of a BitLocker recovery loop
-
-Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating.
-
-If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop:
-
-> [!NOTE]
-> Try these steps only after the device has been restarted at least once.
-
-1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**.
-
-2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
-
-3. From the WinRE command prompt, manually unlock the drive with the following command:
-
-```cmd
-manage-bde.exe -unlock C: -rp <recovery password>
-```
-
-4. Suspend the protection on the operating system with the following command:
-
-```cmd
-manage-bde.exe -protectors -disable C:
-```
-
-5. Once the command is run, exit the command prompt and continue to boot into the operating system.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index ea25cc99da..ba44582914 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index fe24fac2a4..1592e527a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png
deleted file mode 100644
index 11f986fb68..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png
deleted file mode 100644
index 5b5b7b1b4a..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png
deleted file mode 100644
index 8d243a1899..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png
deleted file mode 100644
index bd37969b5d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png
deleted file mode 100644
index 00ef607ab3..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png
deleted file mode 100644
index 2085613b3d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png
deleted file mode 100644
index f4506c399b..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png
deleted file mode 100644
index cbecb03c4e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png
deleted file mode 100644
index 01e94b1243..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png
deleted file mode 100644
index 9056658662..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png
deleted file mode 100644
index d68a22eef7..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png
deleted file mode 100644
index 689bb19299..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png
deleted file mode 100644
index d521e86eed..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png
deleted file mode 100644
index bfcd2326b6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png
deleted file mode 100644
index 05acc571fe..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png
deleted file mode 100644
index fa13f38ba9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png
deleted file mode 100644
index a4f5cc15d2..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png
deleted file mode 100644
index 7b7e449443..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
deleted file mode 100644
index 95afbf2ccc..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
deleted file mode 100644
index d2caa05b03..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
deleted file mode 100644
index 14a30db7c4..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
deleted file mode 100644
index e691dcbc53..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
deleted file mode 100644
index 40ddf183f6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png
deleted file mode 100644
index c600883c0e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg
deleted file mode 100644
index 91d10e6c66..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png
deleted file mode 100644
index 21adc928de..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png
deleted file mode 100644
index 2941452109..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png
deleted file mode 100644
index 53b374d26e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png
deleted file mode 100644
index bc299cc0e9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png
deleted file mode 100644
index 1bef01d587..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png
deleted file mode 100644
index d4d825029c..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png
deleted file mode 100644
index 2acac0f3ea..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png
deleted file mode 100644
index cb5b84d6b9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png
deleted file mode 100644
index 3b3cd2b961..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png
deleted file mode 100644
index 4e82b9b76e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png
deleted file mode 100644
index 8fb9446d93..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg
deleted file mode 100644
index f1c25c116c..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png
deleted file mode 100644
index dfd30ba2a2..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 234c8a6eba..49d276838c 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -1,12 +1,13 @@
 ---
 title: Kernel DMA Protection (Windows)
-description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt&trade; 3 ports.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 01/05/2023
 ms.technology: itpro-security
@@ -18,7 +19,7 @@ ms.technology: itpro-security
 -   Windows 10
 -   Windows 11
 
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt&trade; 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
 
 Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
 
@@ -32,9 +33,9 @@ The DMA capability is what makes PCI devices the highest performing devices avai
 These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
 Access to these devices required the user to turn off power to the system and disassemble the chassis. 
 
-Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). 
+Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt&trade; and CFexpress). 
 
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. 
+Hot plug PCIe ports such as Thunderbolt&trade; technology have provided modern PCs with extensibility that wasn't available before for PCs. 
 It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
 Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
 
@@ -102,15 +103,15 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
 
 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
 
-   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ## Frequently asked questions
 
-### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+### Do in-market systems support Kernel DMA Protection for Thunderbolt&trade; 3?
+In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt&trade; 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
-No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt&trade; 3 ports during boot. 
 
 ### How can I check if a certain driver supports DMA-remapping?
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
@@ -122,7 +123,7 @@ Check the driver instance for the device you are testing. Some drivers may have
 
 ![Experience of a user about Kernel DMA protection](images/device-details-tab.png)
 
-### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
+### When the drivers for PCI or Thunderbolt&trade; 3 peripherals do not support DMA-remapping?
 
 If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 0aed4ad1d1..e42dd1f9c9 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -21,7 +21,7 @@ ms.date: 12/13/2022
 
 ### Enable Personal Data Encryption (PDE)
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
@@ -65,7 +65,7 @@ ms.date: 12/13/2022
 
 ### Disable Winlogon automatic restart sign-on (ARSO)
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
@@ -107,7 +107,7 @@ ms.date: 12/13/2022
 
 ### Disable kernel-mode crash dumps and live dumps
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
@@ -145,7 +145,7 @@ ms.date: 12/13/2022
 
 ### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
@@ -183,7 +183,7 @@ ms.date: 12/13/2022
 
 ### Disable hibernation
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
@@ -221,7 +221,7 @@ ms.date: 12/13/2022
 
 ### Disable allowing users to select when a password is required when resuming from connected standby
 
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Navigate to **Devices** > **Configuration Profiles**
 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index edec923f61..80d41fa3fb 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -5,8 +5,9 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 manager: aaroncz
-ms.collection: 
+ms.collection:
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 05/12/2022
 ms.author: dansimp
@@ -91,13 +92,13 @@ To trust and boot operating systems, like Linux, and components signed by the UE
 
 1. Open the firmware menu, either: 
   
-  - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site.
+  - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
 
   - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
   
-2.	From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”. 
+2.    From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". 
 
-3.	Save changes and exit. 
+3.    Save changes and exit. 
  
 Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. 
 
@@ -132,6 +133,8 @@ Depending on the implementation and configuration, the server can now determine
 
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
+
+
 ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
 *Figure 2. Measured Boot proves the PC's health to a remote server*
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 5545248585..1f711c3493 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -14,7 +14,7 @@ ms.technology: itpro-security
 # Back up the TPM recovery information to AD DS
 
 **Applies to**
--   Windows 10
+-   Windows 10
 -   Windows 11
 -   Windows Server 2016 and above
 
@@ -22,7 +22,7 @@ ms.technology: itpro-security
 
 -   Windows 10, version 1607 or later
 
-With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
+With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
 
 ## Related topics
 
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
deleted file mode 100644
index 5fabd8a69f..0000000000
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Change the TPM owner password (Windows)
-description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.reviewer: 
-ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 01/18/2022
-ms.technology: itpro-security
----
-
-# Change the TPM owner password
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-
-## About the TPM owner password
-
-Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
-
-> [!IMPORTANT]
-> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
-
-Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
-
-Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI.
-
-### Other TPM management options
-
-Instead of changing your owner password, you can also use the following options to manage your TPM:
-
--   **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
--   **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm).
-
-## Change the TPM owner password
-
-With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
-
-To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index df275cf0b3..d1f3ca2437 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -30,9 +30,9 @@ The Windows operating system improves most existing security features in the ope
 
 The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
 
-Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
 
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM's features.
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
@@ -40,7 +40,7 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
 
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
 ## TPM in Windows 
 
@@ -58,15 +58,15 @@ The Platform Crypto Provider, introduced in the Windows 8 operating system, expo
 
 - **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
 
-These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically.
 
 ## Virtual Smart Card
 
-Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
 
-In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
 
-For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates "lost card" and "card left at home" scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
 
 ## Windows Hello for Business
 
@@ -87,21 +87,21 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 ## BitLocker Drive Encryption
 
-BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
 In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
-- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 
 - **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
 
-Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
 
-Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
 
 ## Device Encryption
 
-Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the "TPM-only" configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
 
 For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
 
@@ -111,7 +111,7 @@ Windows 8 introduced Measured Boot as a way for the operating system to record t
 
 The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
 
-Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.
 
 TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
 
@@ -133,7 +133,7 @@ Mobile device management (MDM) solutions can receive simple security assertions
 
 ## Credential Guard
 
-Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
 
 Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
 
@@ -141,17 +141,17 @@ The resulting solution provides defense in depth, because even if malware runs i
 
 ## Conclusion
 
-The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
 
 <br/>
 
 |Feature | Benefits when used on a system with a TPM|
 |---|---|
-| Platform Crypto Provider | <ul><li>If the machine is compromised, the private key associated with the certificate cannot be copied off the device.</li><li>The TPM’s dictionary attack mechanism protects PIN values to use a certificate.</li></ul> |
+| Platform Crypto Provider | <ul><li>If the machine is compromised, the private key associated with the certificate cannot be copied off the device.</li><li>The TPM's dictionary attack mechanism protects PIN values to use a certificate.</li></ul> |
 | Virtual Smart Card | <ul><li>Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.</li></ul> |
-| Windows Hello for Business | <ul><li>Credentials provisioned on a device cannot be copied elsewhere.</li><li>Confirm a device’s TPM before credentials are provisioned.</li></ul> |
+| Windows Hello for Business | <ul><li>Credentials provisioned on a device cannot be copied elsewhere.</li><li>Confirm a device's TPM before credentials are provisioned.</li></ul> |
 | BitLocker Drive Encryption | <ul><li>Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.</li></ul> |
-|Device Encryption | <ul><li>With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.</li></ul> |
+|Device Encryption | <ul><li>With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.</li></ul> |
 | Measured Boot | <ul><li>A hardware root of trust contains boot measurements that help detect malware during remote attestation.</li></ul> |
 | Health Attestation | <ul><li>MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. </li></ul> |
 | Credential Guard | <ul><li>Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.</li></ul> |
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index dc54432a56..0fa4cfb623 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -8,6 +8,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -71,7 +72,7 @@ You can use the Windows Defender Security Center app to clear the TPM as a troub
 Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
 
 > [!WARNING]
-> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
+> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM."
 
 ### Precautions to take before clearing the TPM
 
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
deleted file mode 100644
index 1ec4c72de8..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Manage TPM commands (Windows)
-description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-
-# Manage TPM commands
-
-**Applies to**
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-
-After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
-
-The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
-
-**To block TPM commands by using the Local Group Policy Editor**
-
-1.  Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-    > [!NOTE]
-    > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
-
-2.  In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
-
-3.  Under **System**, click **Trusted Platform Module Services**.
-
-4.  In the details pane, double-click **Configure the list of blocked TPM commands**.
-
-5.  Click **Enabled**, and then click **Show**.
-
-6.  For each command that you want to block, click **Add**, enter the command number, and then click **OK**.
-
-    > [!NOTE]
-    > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
-
-7.  After you have added numbers for each command that you want to block, click **OK** twice.
-
-8.  Close the Local Group Policy Editor.
-
-**To block or allow TPM commands by using the TPM MMC**
-
-1.  Open the TPM MMC (tpm.msc)
-
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-3.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-4.  In the list, select a command that you want to block or allow.
-
-5.  Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
-
-**To block new commands**
-
-1.  Open the TPM MMC (tpm.msc).
-
-    If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-3.  In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed.
-
-4.  In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
deleted file mode 100644
index b348034a8d..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Manage TPM lockout (Windows)
-description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.reviewer: 
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-# Manage TPM lockout
-
-**Applies to**
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-
-## About TPM lockout
-
-The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
-
-TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password.
-
-In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
-
-**TPM 1.2**
-
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
-
-**TPM 2.0**
-
-TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1.
-
-If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
-
-## Reset the TPM lockout by using the TPM MMC
-
-> [!NOTE]
-> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher.
-
-The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
-
-**To reset the TPM lockout**
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
-
-3. Choose one of the following methods to enter the TPM owner password:
-
-   -   If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
-
-   -   If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
-
-   > [!NOTE]
-   > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
-
-## Use Group Policy to manage TPM lockout settings
-
-The TPM Group Policy settings in the following list are located at:
-
-**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
--   [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration)
-
-    This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
-
--   [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold)
-
-    This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
-
--   [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold)
-
-    This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
-
-For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering).
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index ef5a4ad22d..6e27cc9532 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -41,7 +41,7 @@ It is important to note that this binding to PCR values also includes the hashin
 
 When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
 
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
 
 ## What can I do to switch PCRs when BitLocker is already active?
 
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 60e31fc6af..e6fafb1224 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -26,7 +26,7 @@ Computers that incorporate a TPM can create cryptographic keys and encrypt them
 
 You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
 
-Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
 
 With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
 
@@ -61,7 +61,7 @@ The Measured Boot feature provides antimalware software with a trusted (resistan
 
 ## TPM-based Virtual Smart Card
 
-The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
 
 ## TPM-based certificate storage
 
@@ -93,7 +93,7 @@ When a TPM processes a command, it does so in a protected environment, for examp
 
 TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
 
-Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+Because many entities can use the TPM, a single authorization success cannot reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic.
 
 ### TPM 2.0 anti-hammering
 
@@ -125,7 +125,7 @@ Beginning with Windows 10, version 1703, the minimum length for the BitLocker PI
 
 The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
 
--   Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+-   Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
 
 -   Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
 
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index aab2d0711e..6207a1192c 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -9,6 +9,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -28,9 +29,9 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol
 
 ## TPM design and implementation
 
-Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
 
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index f768669a7c..f484ac475a 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -9,6 +9,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 adobe-target: true
 ms.technology: itpro-security
@@ -32,7 +33,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
 
 - Generate, store, and limit the use of cryptographic keys.
 
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.
+- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it.
 
 - Help ensure platform integrity by taking and storing security measurements.
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 300fe10913..ca9f536057 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -8,6 +8,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -29,7 +30,7 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
 | [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
 | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
 | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
-| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
+| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
 | [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
 | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
 | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 12fd396283..2145eb7a1a 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -24,7 +24,7 @@ After you've created and deployed your Windows Information Protection (WIP) poli
 
 To associate your WIP policy with your organization's existing VPN policy, use the following steps:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index d60c78b01f..7b9a855583 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,6 +1,6 @@
 ---
 title: Create a WIP policy in Intune
-description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
+description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
 ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
@@ -53,7 +53,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 ## Create a WIP policy
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
 
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
index 8356183a84..cef1666430 100644
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
@@ -34,7 +34,7 @@ When you unassign an existing policy, it removes the intent to deploy WIP from t
 
 If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Open Microsoft Intune and select **Apps** > **App protection policies**.
 1. Select the existing policy to turn off, and then select the **Properties**.
 1. Edit **Required settings**.
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png
deleted file mode 100644
index 5ce10dd81f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png
deleted file mode 100644
index 6bc8237f7f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png
deleted file mode 100644
index 7d67692ff3..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png
deleted file mode 100644
index 3ffbcce88c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png
deleted file mode 100644
index 0148a800b2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
deleted file mode 100644
index 3ceabfd15a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png
deleted file mode 100644
index 09bbda3a06..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png
deleted file mode 100644
index 17a97b8d3a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png
deleted file mode 100644
index 7b226b7edd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png
deleted file mode 100644
index 52e3983adf..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png
deleted file mode 100644
index 808de2db0e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png
deleted file mode 100644
index 3f7b7af6b6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png
deleted file mode 100644
index f889dbca48..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png
deleted file mode 100644
index de066d3a8b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png
deleted file mode 100644
index 7987e91454..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png
deleted file mode 100644
index 70e726d379..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png
deleted file mode 100644
index e48b59aa4b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
deleted file mode 100644
index 6aa8f89355..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png
deleted file mode 100644
index 6786a93416..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png
deleted file mode 100644
index bc801a8521..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png
deleted file mode 100644
index 64d9ebda26..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png
deleted file mode 100644
index 3ec8bec32d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png
deleted file mode 100644
index b3340d6e4f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png
deleted file mode 100644
index 49c41b313d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png
deleted file mode 100644
index 51abff3771..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png
deleted file mode 100644
index cf9f85181a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
deleted file mode 100644
index 66415d57fd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png
deleted file mode 100644
index a1d9bc70d9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
deleted file mode 100644
index b09cb58508..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
deleted file mode 100644
index 19892b3a7c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png
deleted file mode 100644
index cfeee8a45f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png
deleted file mode 100644
index 57c40a85d0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png
deleted file mode 100644
index 58f675399a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png
deleted file mode 100644
index dd6450af37..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png
deleted file mode 100644
index 3dbbb4e09b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png
deleted file mode 100644
index 89a133bcbe..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
deleted file mode 100644
index f069f140dd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
deleted file mode 100644
index e02310282d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
deleted file mode 100644
index ae14d18238..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
deleted file mode 100644
index 91109c29c9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
deleted file mode 100644
index 0aeb04bf0a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
deleted file mode 100644
index 7090e29ff1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
deleted file mode 100644
index 313b0e4b73..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png
deleted file mode 100644
index e759e45f28..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png
deleted file mode 100644
index 8b81622c1a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
deleted file mode 100644
index 8bc8a4d845..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png
deleted file mode 100644
index b31efa417c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
deleted file mode 100644
index d12500349a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
deleted file mode 100644
index e2b9b2ccae..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
deleted file mode 100644
index b549db5548..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
deleted file mode 100644
index 5c0dd50bb0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
deleted file mode 100644
index eef6b1efd0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
deleted file mode 100644
index 5ed595983a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
deleted file mode 100644
index 59291bf62e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
deleted file mode 100644
index 3142b31f51..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
deleted file mode 100644
index aa0184a2c6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png
deleted file mode 100644
index f282ff5e6b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
deleted file mode 100644
index 2ecd78f1ca..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
deleted file mode 100644
index f397cd6797..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
deleted file mode 100644
index 30dde125e1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
deleted file mode 100644
index 0fff54b6d2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png
deleted file mode 100644
index fdbc950c9e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
deleted file mode 100644
index af36a7cc4e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 6b8c5f1841..4bcc628d6a 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -25,7 +25,7 @@ In the **Website learning report**, you can view a summary of the devices that h
 
 ## Access the WIP Learning reports
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 1. Select **Apps** > **Monitor** > **App protection status** > **Reports**.
 
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index af39d39146..d8992b23c1 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 319301f86f..45ec095169 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index d505b5d9ef..aab983edfc 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -127,7 +128,7 @@ This event generates when a logon session is created (on destination machine). I
 
 - **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon.
 
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
 
     - Domain NETBIOS name example: CONTOSO
 
@@ -191,7 +192,7 @@ This event generates when a logon session is created (on destination machine). I
 
 - **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed.
 
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
 
     - Domain NETBIOS name example: CONTOSO
 
@@ -289,7 +290,7 @@ For 4624(S): An account was successfully logged on.
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts.                                                |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions.                                                                                      |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                                      |
 
 - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM.
 
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 81657a6361..425447b217 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -28,7 +29,7 @@ ms.topic: reference
 
 This event is logged for any logon failure.
 
-It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
 
 This event generates on domain controllers, member servers, and workstations.
 
@@ -107,11 +108,11 @@ This event generates on domain controllers, member servers, and workstations.
 
     -   Uppercase full domain name: CONTOSO.LOCAL
 
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
 
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
 
--   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+-   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field.
 
 
     <span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
@@ -146,17 +147,17 @@ This event generates on domain controllers, member servers, and workstations.
 
     -   Uppercase full domain name: CONTOSO.LOCAL
 
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
 
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
 
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+-   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
 
 **Failure Information:**
 
--   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
+-   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value.
 
--   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+-   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value. The most common status codes are listed in Table 12. Windows logon status codes.
 
     <span id="_Ref433822658" class="anchor"></span>**Table 12: Windows logon status codes.**
 
@@ -189,7 +190,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 More information: <https://dev.windows.com/en-us/downloads>
 
--   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
+-   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the "Table 12. Windows logon status codes.".
 
 **Process Information:**
 
@@ -199,7 +200,7 @@ More information: <https://dev.windows.com/en-us/downloads>
 
     If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
 
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
 
 -   **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
 
@@ -219,9 +220,9 @@ More information: <https://dev.windows.com/en-us/downloads>
 
 **Detailed Authentication Information:**
 
--   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+-   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
 
--   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+-   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
 
     -   **NTLM** – NTLM-family Authentication
 
@@ -233,15 +234,15 @@ More information: <https://dev.windows.com/en-us/downloads>
 
 -   **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are:
 
-    -   “NTLM V1”
+    -   "NTLM V1"
 
-    -   “NTLM V2”
+    -   "NTLM V2"
 
-    -   “LM”
+    -   "LM"
 
-        Only populated if “**Authentication Package” = “NTLM”**.
+        Only populated if "**Authentication Package" = "NTLM"**.
 
--   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+-   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package.
 
 ## Security Monitoring Recommendations
 
@@ -250,19 +251,19 @@ For 4625(F): An account failed to log on.
 > [!IMPORTANT]
 > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+-   If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
 
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+-   You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
 <!-- -->
 
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+-   If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
 
 -   If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
 
 -   To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
 
--   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
+-   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account.
 
 -   We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
 
@@ -270,7 +271,7 @@ For 4625(F): An account failed to log on.
 
 -   If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
 
-    -   If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**.
+    -   If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**.
 
     -   If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
 
@@ -286,14 +287,14 @@ For 4625(F): An account failed to log on.
 
     |  Field                                                                         | Value to monitor for                                                                                                                                                                                |
     |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.                               |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.       |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”.                                                                                                                                                 |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”.                                                                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”.                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”.                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”.                                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”.                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request." <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account". <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.                               |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.       |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours".                                                                                                                                                 |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation".                                                                                                                                            |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator".                                                                                                                                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine".                                                                                            |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started". <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account".                                                                                                                                                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine".                     |
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 3ca1095e98..2cefaaced0 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -26,11 +27,11 @@ ms.topic: reference
 
 ***Event Description:***
 
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
 
 This event generates only on domain controllers.
 
-This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+This event is not generated if "Do not require Kerberos preauthentication" option is set for the account.
 
 > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
@@ -127,7 +128,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
 
     -   Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
 
-> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
+> **Note**&nbsp;&nbsp;In the table below **"MSB 0"** bit numbering is used, because RFC documents use this style. In "MSB 0" style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
 
 The most common values:
 
@@ -185,14 +186,14 @@ The most common values:
 | 0xd         | KDC\_ERR\_BADOPTION                       | KDC cannot accommodate requested option         |
 | 0xe         | KDC\_ERR\_ETYPE\_NOSUPP                   | KDC has no support for encryption type          |
 | 0xf         | KDC\_ERR\_SUMTYPE\_NOSUPP                 | KDC has no support for checksum type            |
-| 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
+| 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
 | 0x11         | KDC\_ERR\_TRTYPE\_NOSUPP                  | KDC has no support for transited type           |
 | 0x12         | KDC\_ERR\_CLIENT\_REVOKED                 | Clients credentials have been revoked           |
 | 0x13         | KDC\_ERR\_SERVICE\_REVOKED                | Credentials for server have been revoked        |
 | 0x14         | KDC\_ERR\_TGT\_REVOKED                    | TGT has been revoked                            |
 | 0x15         | KDC\_ERR\_CLIENT\_NOTYET                  | Client not yet valid; try again later           |
 | 0x16         | KDC\_ERR\_SERVICE\_NOTYET                 | Server not yet valid; try again later           |
-| 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user’s password has expired.
+| 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user's password has expired.
 | 0x18         | KDC\_ERR\_PREAUTH\_FAILED                 | Pre-authentication information was invalid      |The wrong password was provided.
 | 0x19         | KDC\_ERR\_PREAUTH\_REQUIRED               | Additional pre-authentication required          |
 | 0x1a         | KDC\_ERR\_SERVER\_NOMATCH                 | Requested server and ticket don't match         |
@@ -260,9 +261,9 @@ The most common values:
 
 - **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
 
-- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate's serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
 
-- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate's thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
 
 ## Security Monitoring Recommendations
 
@@ -270,11 +271,11 @@ For 4771(F): Kerberos pre-authentication failed.
 
 | **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                 |
 |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                           |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Security ID"** that corresponds to the high-value account or accounts.                                                              |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Security ID"** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **"Security ID"** that corresponds to the accounts that should never be used.                                                          |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a "allow list-only" action, review the **"Security ID"** for accounts that are outside the allow list.                                  |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                           |
 
 -   You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
 
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index e411b647ce..ad57e347c4 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -34,11 +35,11 @@ It shows successful and unsuccessful credential validation attempts.
 
 It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event.
 
-If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to "**0x0**".
 
 The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
 
-For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+For monitoring local account logon attempts, it's better to use event "[4624](event-4624.md): An account was successfully logged on" because it contains more details and is more informative.
 
 This event also generates when a workstation unlock event occurs.
 
@@ -85,7 +86,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 
 ***Field Descriptions:***
 
--   **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
+-   **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always "**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**" for [4776](event-4776.md) event.
 
 > **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
 
@@ -101,7 +102,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 
 -   **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated.
 
--   **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has “**0x0**” value. The table below contains most common error codes for this event:
+-   **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has "**0x0**" value. The table below contains most common error codes for this event:
 
 | Error Code | Description                                                                                                                                                                                                                                                                               |
 |------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -126,16 +127,16 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
 
 | **Type of monitoring required**     | **Recommendation**          |
 |-----------------|---------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts.        |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used.   |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.   | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list.     |
-| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on.   | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about.  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.  | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Logon Account"** that corresponds to the high-value account or accounts.        |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Logon Account"** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Logon Account"** that should never be used.   |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.   | If this event corresponds to a "allow list-only" action, review the **"Logon Account"** for accounts that are outside the allow list.     |
+| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on.   | Monitor the target **Source Workstation** for credential validation requests from the **"Logon Account"** that you're concerned about.  |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.  | Monitor "**Logon Account"** for names that don't comply with naming conventions. |
 
--   If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
+-   If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don't forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
 
--   You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
+-   You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don't forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
 
 -   If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
 
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 97c0977a60..e935d656d9 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -212,9 +212,9 @@ For a change operation, you'll typically see two 5136 events for one action, wit
 
 -   **Type** \[Type = UnicodeString\]**:** type of performed operation.
 
-    -   **Value Added** – new value added.
+    -   **Value Added** – new value added ('%%14674')
 
-    -   **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation).
+    -   **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation).
 
 <!-- -->
 
@@ -236,4 +236,5 @@ For 5136(S): A directory service object was modified.
 
 -   If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
 
--   It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
\ No newline at end of file
+-   It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
+   
diff --git a/windows/security/threat-protection/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png
deleted file mode 100644
index 56d7caa0c4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/netsh-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png
deleted file mode 100644
index 2ffc025437..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index ebf21e1e50..3985c12068 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/09/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png
deleted file mode 100644
index 043da38016..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png
deleted file mode 100644
index 1943ec1fab..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png
deleted file mode 100644
index 6913ecfcc6..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png
deleted file mode 100644
index d35b3507f8..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png
deleted file mode 100644
index c2cec3aca1..0000000000
Binary files a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png
deleted file mode 100644
index 4bf90b2b8a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png
deleted file mode 100644
index d08380470f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/baselines.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png
deleted file mode 100644
index 3080e0d1f0..0000000000
Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png
deleted file mode 100644
index f4f5e4804b..0000000000
Binary files a/windows/security/threat-protection/device-control/images/bluetooth.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png
deleted file mode 100644
index 6951e4ed5a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/class-guids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png
deleted file mode 100644
index 9d295dfa6b..0000000000
Binary files a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png
deleted file mode 100644
index 4b8c80fdd7..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png
deleted file mode 100644
index eaba30b27f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png
deleted file mode 100644
index b0b7eb7237..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png
deleted file mode 100644
index 95ac48ec54..0000000000
Binary files a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png
deleted file mode 100644
index 44be977537..0000000000
Binary files a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png
deleted file mode 100644
index 829014859f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicecontrolcard.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png
deleted file mode 100644
index a7cd33c892..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg
deleted file mode 100644
index cd814377be..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png
deleted file mode 100644
index 4743358c57..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg
deleted file mode 100644
index 10b636fc0d..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicevendorid.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png
deleted file mode 100644
index cf8399acf4..0000000000
Binary files a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png
deleted file mode 100644
index 152822dc29..0000000000
Binary files a/windows/security/threat-protection/device-control/images/general-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png
deleted file mode 100644
index 9017f289f6..0000000000
Binary files a/windows/security/threat-protection/device-control/images/hardware-ids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png
deleted file mode 100644
index 55be4d714a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg
deleted file mode 100644
index c86eab1470..0000000000
Binary files a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 003104ce73..9c1feb7d06 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,6 +10,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.reviewer: 
@@ -77,7 +78,7 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s
 
 > [!IMPORTANT]
 >
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
 >
 > - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled.
 >
diff --git a/windows/security/threat-protection/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png
deleted file mode 100644
index 6d265509ea..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/device-guard-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png
deleted file mode 100644
index cefb124344..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png
deleted file mode 100644
index 938e397751..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png
deleted file mode 100644
index fa2c162cc0..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png
deleted file mode 100644
index 4439bd2764..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png
deleted file mode 100644
index db0ddb80db..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png
deleted file mode 100644
index 55344d70d1..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png
deleted file mode 100644
index d79ca2c2af..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png
deleted file mode 100644
index 08492ef73b..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png
deleted file mode 100644
index 2c5c7236eb..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png
deleted file mode 100644
index 2c838be648..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png
deleted file mode 100644
index 9499946283..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png
deleted file mode 100644
index c6b33e6139..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png
deleted file mode 100644
index e3729e8214..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png
deleted file mode 100644
index 9f0ed93274..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png
deleted file mode 100644
index bad5fe7cdd..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png
deleted file mode 100644
index 782c2017ae..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png
deleted file mode 100644
index 11687d092c..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png
deleted file mode 100644
index 7661cb4eb9..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png
deleted file mode 100644
index b9a4b1881f..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png
deleted file mode 100644
index 25f73eb190..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png
deleted file mode 100644
index 3a33c13350..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png
deleted file mode 100644
index 9b423ea8ab..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
deleted file mode 100644
index 1bee48b996..0000000000
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
-description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
-keywords: virtualization, security, malware
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 10/20/2017
-ms.reviewer: 
-ms.author: vinpa
-ms.technology: itpro-security
----
-
-# Baseline protections and other qualifications for virtualization-based protection of code integrity
-
-**Applies to** 
-- Windows 10
-
-Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a  virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats.
-
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
-
-> [!WARNING]
->  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-
-The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
-
-## Baseline protections
-
-|Baseline Protections            | Description                                        | Security benefits |
-|--------------------------------|----------------------------------------------------|-------------------|
-| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode.  |
-| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><b>Important:</b><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features. |
-
-> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide.
-
-## Other qualifications for improved security
-
-The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
-
-
-### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
-
-| Protections for Improved Security       | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-
-<br>
-
-### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-
-| Protections for Improved Security        | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-<br>
-
-### More security qualifications starting with Windows 10, version 1703
-
-
-| Protections for Improved Security          | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><b>Notes:</b><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Also note the following guidelines: <br>• Don't use sections that are both writeable and executable<br>• Don't attempt to directly modify executable system memory<br>• Don't use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks other security attacks against SMM.  |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7b0d87f42e..4f3fd11f90 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -8,6 +8,7 @@ ms.author: paoloma
 author: paolomatarazzo
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: 
@@ -133,7 +134,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
 |Boot Manager|[10.0.15063][sp-3089]|[#3089][certificate-3089]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); CKG (vendor affirmed); HMAC (Cert. [#3061][hmac-3061]); PBKDF (vendor affirmed); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)|
 |Windows OS Loader|[10.0.15063][sp-3090]|[#3090][certificate-3090]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>[Other algorithms: NDRNG][certificate-3090]|
 |Windows Resume <sup>[1]</sup>|[10.0.15063][sp-3091]|[#3091][certificate-3091]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790])|
-|BitLocker® Dump Filter <sup>[2]</sup>|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])|
+|BitLocker&reg; Dump Filter <sup>[2]</sup>|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])|
 |Code Integrity (ci.dll)|[10.0.15063][sp-3093]|[#3093][certificate-3093]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.15063][sp-3096]|[#3096][certificate-3096]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
 
@@ -156,9 +157,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[#2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886][component-886])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[#2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887])|
 |Boot Manager|[10.0.14393][sp-2931]|[#2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|BitLocker&reg; Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker&reg; Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
 |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[#2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.14393][sp-2938]|[#2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
 
@@ -180,9 +181,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586][sp-2605]|[#2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664][component-664])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs.  [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663])|
 |Boot Manager <sup>[4]</sup>|[10.0.10586][sp-2700]|[#2700][certificate-2700]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); HMAC (Cert. [#2381][hmac-2381]); PBKDF (vendor affirmed); RSA (Cert. [#1871][rsa-1871]); SHS (Certs. [#3047][shs-3047] and [#3048][shs-3048])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])|
+|BitLocker&reg; Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])|
 |Code Integrity (ci.dll)|[10.0.10586][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[8]</sup>|[10.0.10586][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
 
@@ -208,9 +209,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240][sp-2605]|#[2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575][component-575])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576])|
 |Boot Manager<sup>[9]</sup>|[10.0.10240][sp-2600]|[#2600][certificate-2600]|FIPS approved algorithms: AES (Cert. [#3497][aes-3497]); HMAC (Cert. [#2233][hmac-2233]); KTS (AES Cert. [#3498][aes-3498]); PBKDF (vendor affirmed); RSA (Cert. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871] and [#2886][shs-2886])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])|
+|BitLocker&reg; Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])|
 |Code Integrity (ci.dll)|[10.0.10240][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[13]</sup>|[10.0.10240][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
 
@@ -237,9 +238,9 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323][component-323])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
 |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
 |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5<p>Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
 
 <sup>\[14\]</sup> Applies only to Pro, Enterprise, and Embedded 8.
@@ -256,9 +257,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker&reg; Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
 |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. #1346); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -278,7 +279,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385][sp-1328]<p>[6.1.7600.16915][sp-1328]<p>[6.1.7600.21092][sp-1328]<p>[6.1.7601.17514][sp-1328]<p>[6.1.7601.17725][sp-1328]<p>[6.1.7601.17919][sp-1328]<p>[6.1.7601.21861][sp-1328]<p>[6.1.7601.22076][sp-1328]|[1328][certificate-1328]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
 |Boot Manager|[6.1.7600.16385][sp-1319]<p>[6.1.7601.17514][sp-1319]|[1319][certificate-1319]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)<p>Other algorithms: MD5|
 |Winload OS Loader (winload.exe)|[6.1.7600.16385][sp-1326]<p>[6.1.7600.16757][sp-1326]<p>[6.1.7600.20897][sp-1326]<p>[6.1.7600.20916][sp-1326]<p>[6.1.7601.17514][sp-1326]<p>[6.1.7601.17556][sp-1326]<p>[6.1.7601.21655][sp-1326]<p>[6.1.7601.21675][sp-1326]|[1326][certificate-1326]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
-|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]<p>[6.1.7600.16429][sp-1332]<p>[6.1.7600.16757][sp-1332]<p>[6.1.7600.20536][sp-1332]<p>[6.1.7600.20873][sp-1332]<p>[6.1.7600.20897][sp-1332]<p>[6.1.7600.20916][sp-1332]<p>[6.1.7601.17514][sp-1332]<p>[6.1.7601.17556][sp-1332]<p>[6.1.7601.21634][sp-1332]<p>[6.1.7601.21655][sp-1332]<p>[6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.1.7600.16385][sp-1332]<p>[6.1.7600.16429][sp-1332]<p>[6.1.7600.16757][sp-1332]<p>[6.1.7600.20536][sp-1332]<p>[6.1.7600.20873][sp-1332]<p>[6.1.7600.20897][sp-1332]<p>[6.1.7600.20916][sp-1332]<p>[6.1.7601.17514][sp-1332]<p>[6.1.7601.17556][sp-1332]<p>[6.1.7601.21634][sp-1332]<p>[6.1.7601.21655][sp-1332]<p>[6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
 |Code Integrity (CI.DLL)|[6.1.7600.16385][sp-1327]<p>[6.1.7600.17122][sp-1327]v[6.1.7600.21320][sp-1327]<p>[6.1.7601.17514][sp-1327]<p>[6.1.7601.17950][sp-1327]v[6.1.7601.22108][sp-1327]|[1327][certificate-1327]|FIPS approved algorithms: RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331]<p>(no change in SP1)|[1331][certificate-1331]|FIPS approved algorithms: DSA (Cert. [#385][dsa-385]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330]<p>(no change in SP1)|[1330][certificate-1330]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#673][hmac-673]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#557][rsa-557] and [#559][rsa-559]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -312,7 +313,7 @@ Validated Editions: Ultimate Edition
 |--- |--- |--- |--- |
 |Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] | FIPS approved algorithms: AES (Cert. [#553][aes-553]); HMAC (Cert. [#297][hmac-297]); RNG (Cert. [#321][rng-321]); RSA (Certs. [#255][rsa-255] and [#258][rsa-258]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549])<br/><br/>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|FIPS approved algorithms: DSA (Cert. [#226][dsa-226]); RNG (Cert. [#321][rng-321]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549]); Triple-DES MAC (Triple-DES Cert. [#549][tdes-549], vendor affirmed)<br/><br/>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])<br/><br/>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])<br/><br/>Other algorithms: Elephant Diffuser|
 |Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)<br/><br/>Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5|
 
 </details>
@@ -481,9 +482,9 @@ Validated Editions: Standard, Datacenter, Storage Server
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[10.0.14393][sp-2931]|[2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|BitLocker&reg; Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker&reg; Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
 |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5|
 |Secure Kernel Code Integrity (skci.dll)|[10.0.14393][sp-2938]|[2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5|
 
@@ -501,9 +502,9 @@ Validated Editions: Server, Storage Server,
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
 |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5|
 
 <sup>\[16\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
@@ -522,9 +523,9 @@ Validated Editions: Server, Storage Server
 |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. #[1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker&reg; Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
 |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. [#1346][hmac-1346]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -542,7 +543,7 @@ Validated Editions: Server, Storage Server
 |Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); DSA (Cert. [#391][dsa-391]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4|
 |Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#687][hmac-687]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#559][rsa-559] and [#568][rsa-568]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|FIPS approved algorithms: DSA (Cert. [#390][dsa-390]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
 
 </details>
 
@@ -661,20 +662,20 @@ For more details, expand each algorithm section.
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064][aes-4064]<p>Version 10.0.14393|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063][aes-4063]<p>Version 10.0.14393|
 |**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062][aes-4062]<p>Version 10.0.14393|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]<p>Version 10.0.14393|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker&reg; Cryptographic Implementations [#4061][aes-4061]<p>Version 10.0.14393|
 |**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#3652][aes-3652]<p>Version 10.0.10586|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]<p>Version 10.0.10586|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker&reg; Cryptographic Implementations [#3653][aes-3653]<p>Version 10.0.10586|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA32 Algorithm Implementations [#3630][aes-3630]<p>Version 10.0.10586|
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#3629][aes-3629]<p>Version 10.0.10586|
 |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507][aes-3507]<p>Version 10.0.10240|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]<p>Version 10.0.10240|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker&reg; Cryptographic Implementations [#3498][aes-3498]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497][aes-3497]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476][aes-3476]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853][aes-2853]<p>Version 6.3.9600|
 |**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 2832][aes-2832]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848][aes-2848]<p>Version 6.3.9600|
 |**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;<p>**OtherIVLen_Supported<p>GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832][aes-2832]<p>Version 6.3.9600|
 |**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)<p>AES [validation number 2197][aes-2197]<p>**CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)<p>AES [validation number 2197][aes-2197]<p>**GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported<p>GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216][aes-2216]|
-|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]|
+|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker&reg; Cryptographic Implementations [#2198][aes-2198]|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197][aes-2197]|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196][aes-2196]|
 |**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**<p>AES [validation number 1168][aes-1168]|Windows Server 2008 R2 and SP1 CNG algorithms [#1187][aes-1187]<p>Windows 7 Ultimate and SP1 CNG algorithms [#1178][aes-1178]|
@@ -842,7 +843,7 @@ For more details, expand each algorithm section.
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>[ SHSvalidation number  2886][shs-2886]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233][hmac-2233]<p>Version 10.0.10240|
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773][hmac-1773]<p>Version 6.3.9600|
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122][hmac-2122]<p>Version 5.2.29344|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker&reg; Cryptographic Implementations #[1347][hmac-1347]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346][hmac-1346]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345][hmac-1345]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<br>**Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364][hmac-1364]|
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
deleted file mode 100644
index 6fb73d0cd6..0000000000
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Get support
-description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 06/25/2018
-ms.reviewer: 
-ms.technology: itpro-security
----
-
-# Get Support for Windows baselines
-
-## Frequently asked questions
-
-### What is the Microsoft Security Compliance Manager (SCM)?
-
-The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
-
-For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix).
-
-- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353)
-- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
-
-The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported.
-
-### Does SCT support the Desired State Configuration (DSC) file format?
-
-Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features.
-
-### Does SCT support the creation of Microsoft Configuration Manager DCM packs?
-
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement).
-
-### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
-
-No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support.
-
-## Version matrix
-
-### Client versions
-
-| Name | Build | Baseline release date | Security tools |
-|---|---|---|---|
-| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-### Server versions
-
-| Name | Build | Baseline release date | Security tools |
-|---|---|---|---|
-|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
-|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-### Microsoft products
-
-| Name | Details | Security tools |
-|--|--|--|
-| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-> [!NOTE]
-> Browser baselines are built-in to new OS versions starting with Windows 10.
-
-## See also
-
-[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png
deleted file mode 100644
index 3fae6eba9a..0000000000
Binary files a/windows/security/threat-protection/images/AH_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png
deleted file mode 100644
index e69ea2a796..0000000000
Binary files a/windows/security/threat-protection/images/SS_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png
deleted file mode 100644
index 63f8c75929..0000000000
Binary files a/windows/security/threat-protection/images/TVM_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png
deleted file mode 100644
index 7e4e011d4f..0000000000
Binary files a/windows/security/threat-protection/images/Untitled-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png
deleted file mode 100644
index 985e3e4429..0000000000
Binary files a/windows/security/threat-protection/images/air-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png
deleted file mode 100644
index bf649e87ec..0000000000
Binary files a/windows/security/threat-protection/images/asr-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png
deleted file mode 100644
index 2f8eb02556..0000000000
Binary files a/windows/security/threat-protection/images/asr-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png
deleted file mode 100644
index fa6285cb56..0000000000
Binary files a/windows/security/threat-protection/images/asr-rules-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png
deleted file mode 100644
index 569ee7a256..0000000000
Binary files a/windows/security/threat-protection/images/asr-test-tool.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png
deleted file mode 100644
index f93dbe34e3..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-app-ps.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png
deleted file mode 100644
index afb220f764..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png
deleted file mode 100644
index 88cd35c6ce..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-folder-ps.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png
deleted file mode 100644
index 89abf15424..0000000000
Binary files a/windows/security/threat-protection/images/cfa-audit-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png
deleted file mode 100644
index 96e6874361..0000000000
Binary files a/windows/security/threat-protection/images/cfa-filecreator.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png
deleted file mode 100644
index f8d3056d80..0000000000
Binary files a/windows/security/threat-protection/images/cfa-gp-enable.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png
deleted file mode 100644
index 62ca8c3021..0000000000
Binary files a/windows/security/threat-protection/images/cfa-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png
deleted file mode 100644
index 7441a54834..0000000000
Binary files a/windows/security/threat-protection/images/cfa-on.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png
deleted file mode 100644
index a61b54a696..0000000000
Binary files a/windows/security/threat-protection/images/cfa-prot-folders.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/check-no.png b/windows/security/threat-protection/images/check-no.png
deleted file mode 100644
index 040c7d2f63..0000000000
Binary files a/windows/security/threat-protection/images/check-no.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png
deleted file mode 100644
index f9a64efbd7..0000000000
Binary files a/windows/security/threat-protection/images/create-endpoint-protection-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png
deleted file mode 100644
index 1253d68613..0000000000
Binary files a/windows/security/threat-protection/images/create-exploit-guard-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png
deleted file mode 100644
index 8c750dee42..0000000000
Binary files a/windows/security/threat-protection/images/edr-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png
deleted file mode 100644
index ddf0ca23e9..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app-allow.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png
deleted file mode 100644
index 7401e1e87f..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app-folder.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png
deleted file mode 100644
index f8e4dc98d1..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png
deleted file mode 100644
index 620d786868..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png
deleted file mode 100644
index e89118fd47..0000000000
Binary files a/windows/security/threat-protection/images/enable-ep-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png
deleted file mode 100644
index 604dceff4c..0000000000
Binary files a/windows/security/threat-protection/images/enable-np-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png
deleted file mode 100644
index eafac1db7a..0000000000
Binary files a/windows/security/threat-protection/images/ep-default.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png
deleted file mode 100644
index d36cdd8498..0000000000
Binary files a/windows/security/threat-protection/images/ep-prog.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png
deleted file mode 100644
index 96d12d3af1..0000000000
Binary files a/windows/security/threat-protection/images/event-viewer-import.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif
deleted file mode 100644
index 7909bfe728..0000000000
Binary files a/windows/security/threat-protection/images/event-viewer.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif
deleted file mode 100644
index 68f057de3a..0000000000
Binary files a/windows/security/threat-protection/images/events-create.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif
deleted file mode 100644
index 55e77c546f..0000000000
Binary files a/windows/security/threat-protection/images/events-import.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png
deleted file mode 100644
index d7b921aa69..0000000000
Binary files a/windows/security/threat-protection/images/exp-prot-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/get-support.png b/windows/security/threat-protection/images/get-support.png
deleted file mode 100644
index 427ba670de..0000000000
Binary files a/windows/security/threat-protection/images/get-support.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png
deleted file mode 100644
index 75540493da..0000000000
Binary files a/windows/security/threat-protection/images/lab-creation-page.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png
deleted file mode 100644
index f8c9c07b16..0000000000
Binary files a/windows/security/threat-protection/images/linux-mdatp-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png
deleted file mode 100644
index f8c9c07b16..0000000000
Binary files a/windows/security/threat-protection/images/linux-mdatp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png
deleted file mode 100644
index 4bdc6c0c9c..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png
deleted file mode 100644
index becb48f0ed..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png
deleted file mode 100644
index f78d187b04..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure3.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png
deleted file mode 100644
index 6f9b3725f8..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure4.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png
deleted file mode 100644
index 1d5693a399..0000000000
Binary files a/windows/security/threat-protection/images/mte-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png
deleted file mode 100644
index 9aca3db517..0000000000
Binary files a/windows/security/threat-protection/images/ngp-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png
deleted file mode 100644
index 69eb1bbeee..0000000000
Binary files a/windows/security/threat-protection/images/np-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png
deleted file mode 100644
index 4ec2be97af..0000000000
Binary files a/windows/security/threat-protection/images/powershell-example.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png
deleted file mode 100644
index 00225ec18c..0000000000
Binary files a/windows/security/threat-protection/images/sccm-asr-blocks.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png
deleted file mode 100644
index dfb1cb201b..0000000000
Binary files a/windows/security/threat-protection/images/sccm-asr-rules.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png
deleted file mode 100644
index 2868712541..0000000000
Binary files a/windows/security/threat-protection/images/sccm-cfa-block.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png
deleted file mode 100644
index bd2e57d73f..0000000000
Binary files a/windows/security/threat-protection/images/sccm-cfa.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png
deleted file mode 100644
index d7a896332a..0000000000
Binary files a/windows/security/threat-protection/images/sccm-ep-xml.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png
deleted file mode 100644
index 1d16250401..0000000000
Binary files a/windows/security/threat-protection/images/sccm-ep.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png
deleted file mode 100644
index 0655fdad69..0000000000
Binary files a/windows/security/threat-protection/images/sccm-np-block.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png
deleted file mode 100644
index a9f11a2e95..0000000000
Binary files a/windows/security/threat-protection/images/sccm-np.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png
deleted file mode 100644
index 06f66acf99..0000000000
Binary files a/windows/security/threat-protection/images/seccon-framework.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png
deleted file mode 100644
index 270480af39..0000000000
Binary files a/windows/security/threat-protection/images/security-compliance-toolkit-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png
deleted file mode 100644
index 75467f2098..0000000000
Binary files a/windows/security/threat-protection/images/security-control-classification.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png
deleted file mode 100644
index 4f869474e2..0000000000
Binary files a/windows/security/threat-protection/images/security-control-deployment-methodologies.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png
deleted file mode 100644
index f7ca20f34e..0000000000
Binary files a/windows/security/threat-protection/images/security-update.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg
deleted file mode 100644
index e79d2b057d..0000000000
Binary files a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg
deleted file mode 100644
index 89a87afa8b..0000000000
--- a/windows/security/threat-protection/images/svg/check-no.svg
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark no</title>
-    <polygon 
-        fill='#d83b01' 
-        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
-     />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg
deleted file mode 100644
index 483ff5fefc..0000000000
--- a/windows/security/threat-protection/images/svg/check-yes.svg
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark yes</title>
-    <path
-        fill='#0E8915' 
-        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
-    />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png
deleted file mode 100644
index aecbb68522..0000000000
Binary files a/windows/security/threat-protection/images/tpm-capabilities.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png
deleted file mode 100644
index fa092591a1..0000000000
Binary files a/windows/security/threat-protection/images/tpm-remote-attestation.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png
deleted file mode 100644
index 8d47a53b51..0000000000
Binary files a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png
deleted file mode 100644
index 6a1cc80fd4..0000000000
Binary files a/windows/security/threat-protection/images/vbs-example.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png
deleted file mode 100644
index e90d1cc12c..0000000000
Binary files a/windows/security/threat-protection/images/wanna1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png
deleted file mode 100644
index 7b4a1dcd97..0000000000
Binary files a/windows/security/threat-protection/images/wanna2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png
deleted file mode 100644
index 9b0b176366..0000000000
Binary files a/windows/security/threat-protection/images/wanna3.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png
deleted file mode 100644
index 17fefde707..0000000000
Binary files a/windows/security/threat-protection/images/wanna4.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png
deleted file mode 100644
index 92ecf67d20..0000000000
Binary files a/windows/security/threat-protection/images/wanna5.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png
deleted file mode 100644
index 26824af34d..0000000000
Binary files a/windows/security/threat-protection/images/wanna6.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png
deleted file mode 100644
index 634bd1449d..0000000000
Binary files a/windows/security/threat-protection/images/wanna7.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png
deleted file mode 100644
index 59b42eb6f6..0000000000
Binary files a/windows/security/threat-protection/images/wanna8.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png
deleted file mode 100644
index 8a67d190b7..0000000000
Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png
deleted file mode 100644
index 312167da41..0000000000
Binary files a/windows/security/threat-protection/images/wdeg.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
deleted file mode 100644
index 01801a519d..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
deleted file mode 100644
index 38404d7569..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png
deleted file mode 100644
index eac90e96f5..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-export.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
deleted file mode 100644
index 53edeb6135..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png
deleted file mode 100644
index 67abde13e0..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot.png and /dev/null differ
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
deleted file mode 100644
index 307fd1ee4b..0000000000
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
-description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-ms.reviewer: 
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
- 
-# What is Microsoft Baseline Security Analyzer and its uses?
- 
-Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. 
- 
-MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
-
-> [!NOTE]
-> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. 
- 
-## The Solution 
-A script can help you with an alternative to MBSA’s patch-compliance checking:
- 
-- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. 
-For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
- 
-For example:
- 
-[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
-[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
-  
-The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
-The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
- 
-## More Information  
-
-For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
-
-- [Windows security baselines](windows-security-baselines.md) 
-- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) 
-- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png
deleted file mode 100644
index 08cb4d5676..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png
deleted file mode 100644
index 9e58d99ead..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png
deleted file mode 100644
index 877b707030..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png
deleted file mode 100644
index 5172022256..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index ad5d373c27..43d0713f40 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -15,6 +15,7 @@ ms.custom: asr
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: how-to
 ---
 
@@ -98,7 +99,7 @@ Application Guard functionality is turned off by default. However, you can quick
 
 :::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
 
    1. In the **Platform** list, select **Windows 10 and later**. 
    
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 6b284c9344..afc6aaef79 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -15,6 +15,7 @@ ms.custom: asr
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: conceptual
 ---
 
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png
deleted file mode 100644
index daa96d291d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
deleted file mode 100644
index ab2d5152ca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
+++ /dev/null
@@ -1,20 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#32bedd" />
-      <stop offset="0.175" stop-color="#32caea" />
-      <stop offset="0.41" stop-color="#32d2f2" />
-      <stop offset="0.775" stop-color="#32d4f5" />
-    </linearGradient>
-  </defs>
-  <title>MsPortalFx.base.images-10</title>
-  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
-    <g>
-      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
-      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
-      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
-      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
-      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
-    </g>
-  </g>
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
deleted file mode 100644
index dbbad7d780..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
-  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#76bc2d" />
-      <stop offset="0.32" stop-color="#73b82c" />
-      <stop offset="0.65" stop-color="#6cab29" />
-      <stop offset="0.99" stop-color="#5e9724" />
-      <stop offset="1" stop-color="#5e9624" />
-    </linearGradient>
-    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#0078d4" />
-      <stop offset="0.17" stop-color="#1c84dc" />
-      <stop offset="0.38" stop-color="#3990e4" />
-      <stop offset="0.59" stop-color="#4d99ea" />
-      <stop offset="0.8" stop-color="#5a9eee" />
-      <stop offset="1" stop-color="#5ea0ef" />
-    </linearGradient>
-  </defs>
-  <title>Icon-general-18</title>
-  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
-  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png
deleted file mode 100644
index a3286fb528..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png
deleted file mode 100644
index e51cd9384c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 393d33b206..ba53584a0f 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.technology: itpro-security
 adobe-target: true
 ms.collection: 
+  - tier2
   - highpri
 ms.date: 12/31/2017
 ms.topic: article
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
deleted file mode 100644
index 0ee92c6736..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows)
-description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps.
-ms.prod: windows-client
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
-ms.topic: how-to
----
-
-# Set up and use Microsoft Defender SmartScreen on individual devices
-
-**Applies to:**
-- Windows 10, version 1703
-- Windows 11
-- Microsoft Edge
-
-Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
-
-## How users can use Windows Security to set up Microsoft Defender SmartScreen
-Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it.
-
->[!NOTE]
->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-
-**To use Windows Security to set up Microsoft Defender SmartScreen on a device**
-1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**.
-
-2. In the **Reputation-based protection** screen, choose from the following options:
-
-   - In the **Check apps and files** area:
-
-       - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue.
-
-       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
-
-   - In the **Microsoft Defender SmartScreen for Microsoft Edge** area:
-        
-       - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge.
-        
-       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
-   - In the **Potentially unwanted app blocking** area:
-
-      - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md#potentially-unwanted-application-pua).
-          - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device.
-
-          - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium).
-
-      - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps.
-
-   - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area:
-        
-     - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue.
-        
-     - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
-
-       ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png)
-
-## How Microsoft Defender SmartScreen works when a user tries to run an app
-Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-
-By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended).
-
-## How users can report websites as safe or unsafe
-Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
-
-**To report a website as safe from the warning message**
-- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
-
-**To report a website as unsafe from Microsoft Edge**
-- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
-
-**To report a website as unsafe from Internet Explorer 11**
-- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
-
-## Related topics
-- [Threat protection](../index.md)
-
-- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index e6f9bec119..969423ed4a 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 08/16/2021
 ms.technology: itpro-security
@@ -23,7 +24,7 @@ ms.technology: itpro-security
 
 **Applies to**
 -   Windows 11
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
 
@@ -47,7 +48,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes.
 
 ### Default values
 
-The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
 
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 7436c55ccd..1aa90a6526 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 11/02/2018
 ms.technology: itpro-security
@@ -34,7 +35,7 @@ The **Account lockout threshold** policy setting determines the number of failed
 Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
 However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
 
-Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
+Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn't need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
 
 ### Possible values
 
@@ -46,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
 
 ### Best practices
 
-The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization.
+The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization.
 
 As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
@@ -116,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
     
 -   Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
 
-    [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
+    [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
     
     Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
 
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index bd80ebe594..760392434f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md).
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).
 
 There are two options if this setting is enabled:
 
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 8cdc5e7f53..f28c135001 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
deleted file mode 100644
index 52acafba66..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
deleted file mode 100644
index 858be4e70e..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
deleted file mode 100644
index 2efa6877c8..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md
deleted file mode 100644
index f0dbde13f1..0000000000
--- a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date: 1/4/2019
-ms.reviewer: 
-manager: aaroncz
-ms.topic: include
-ms.prod: m365-security
----
-Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index b65e3da751..41c09e6eb4 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/18/2018
 ms.technology: itpro-security
@@ -29,7 +30,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user's session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
 
 > [!NOTE]
 > If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
@@ -42,7 +43,7 @@ If **Machine will be locked after** is set to zero (0) or has no value (blank),
 
 ### Best practices
 
-Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity.
+Set the time for elapsed user-input inactivity based on the device's usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity.
 
 ### Location
 
@@ -52,7 +53,7 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol
 
 ### Default values
 
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
 
 | Server type or GPO | Default value |
 | - | - |
@@ -85,7 +86,7 @@ This policy setting helps you prevent unauthorized access to devices under your
 
 ### Countermeasure
 
-Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements.
+Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device's usage and location requirements.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 91919d8ae3..92341b9213 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
 
 ### Best practices
 
-The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. 
+The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. 
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index bcdeda1852..5eb5a6a0b4 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index 02c1a25fd5..f9b90574fd 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da
 
 ### Best practices
 
-[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. 
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. 
 
 Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. 
 Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. 
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index cde1a5df8b..b74a12c22c 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 03/30/2022
 ms.technology: itpro-security
@@ -50,7 +51,7 @@ In addition, requiring long passwords can actually decrease the security of an o
 
 ### Default values
 
-The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
 
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 67f28accd4..42cb403da5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -11,6 +11,7 @@ ms.reviewer:
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ---
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index a9b0b1ae89..465adda6a7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -9,6 +9,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index e1585d602e..23edb11516 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
@@ -75,7 +76,7 @@ HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
 
 ### Default values
 
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
 
 | Server type or GPO | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index d6f73cfb32..b84eb1eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.technology: itpro-security
 ms.date: 12/31/2017
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index b4163b8525..e28f4796b7 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index 1891e3b322..275d4a0bd8 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
 
 Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. 
 
-[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
 ### Location
 
@@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the
 
 ### Countermeasure
 
-[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15.
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 79136b00da..e5a2bba1d9 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index f8f1af1c61..205e5f9c9a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
 
 We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode.
 
-For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
+For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 0439fc8ee1..7e7e14c8c0 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index c2987aea45..bf315dd58b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 10/16/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 642b8ea960..56ce82d42e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -38,15 +38,16 @@ To use AppLocker, you need:
 -   For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
 -   Devices running a supported operating system to enforce the AppLocker rules that you create.
 
->**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+>[!NOTE]
+>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies 
  
 ## Operating system requirements
 
-The following table shows the on which operating systems AppLocker features are supported.
+The following table shows the Windows versions on which AppLocker features are supported.
 
 | Version | Can be configured | Can be enforced | Available rules | Notes |
 | - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016. |
+| Windows 10 and Windows 11| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul> |
 | Windows Server 2019<br/>Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
 | Windows 8.1 Pro| Yes| No| N/A||
 | Windows 8.1 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
@@ -54,16 +55,19 @@ The following table shows the on which operating systems AppLocker features are
 | Windows 8 Pro| Yes| No| N/A||
 | Windows 8 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL||
 | Windows RT| No| No| N/A| |
-| Windows Server 2008 R2 Standard| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
-| Windows 7 Ultimate| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
-| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 Standard| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
+| Windows 7 Ultimate| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
+| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules won't be enforced.|
 | Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.|
  
 
-AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+AppLocker isn't supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature isn't supported on the above operating systems.
+
+>[!NOTE]
+>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
 
 ## See also
 - [Administer AppLocker](administer-applocker.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
deleted file mode 100644
index acdfc6b79b..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ /dev/null
@@ -1,165 +0,0 @@
----
-title: Use audit events to create then enforce WDAC policy rules (Windows)
-description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
-ms.date: 05/03/2021
-ms.technology: itpro-security
-ms.topic: article
----
-
-# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
-
-**Applies to:**
-
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
-
-Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your Windows Defender Application Control policy (WDAC) but should be included.
-
-While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
-
-## Overview of the process to create WDAC policy to allow apps using audit events
-
-> [!NOTE]
-> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
-
-To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
-
-1. Install and run an application not allowed by the WDAC policy but that you want to allow.
-
-2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
-
-   **Figure 1. Exceptions to the deployed WDAC policy** <br>
-
-   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
-
-3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
-
-   ```powershell
-   $PolicyName= "Lamna_FullyManagedClients_Audit"
-   $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
-   $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
-   $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
-   ```
-
-4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
-
-   ```powershell
-   New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
-   ```
-
-   > [!NOTE]
-   > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of  **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
-
-5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
-
-6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
-
-   > [!NOTE]
-   > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
-
-7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
-
-    For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
-
-8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-
-## Convert WDAC **BASE** policy from audit to enforced
-
-As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
-
-**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
-
-Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
-
-1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
-
-   ```powershell
-   $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
-   $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
-   $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
-   cp $AuditPolicyXML $EnforcedPolicyXML
-   ```
-
-2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
-
-   ```powershell
-   $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
-   $EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
-   ```
-
-   > [!NOTE]
-   > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
-
-3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
-
-   ```powershell
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
-   ```
-
-4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
-
-   ```powershell
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
-   ```
-
-5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
-
-   > [!NOTE]
-   > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
-
-   ```powershell
-   $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
-   ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
-   ```
-
-## Make copies of any needed **supplemental** policies to use with the enforced base policy
-
-Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
-
-1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
-
-   ```powershell
-   $SupplementalPolicyName = "Lamna_Supplemental1"
-   $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
-   $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
-   ```
-
-2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
-
-   ```powershell
-   $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
-   $SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
-   ```
-
-   > [!NOTE]
-   > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
-
-3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
-
-   ```powershell
-   $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
-   ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
-   ```
-
-4. Repeat the steps above if you have other supplemental policies to update.
-
-## Deploy your enforced policy and supplemental policies
-
-Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 0286b18ad3..1e580c8d82 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -35,7 +35,7 @@ When you create policies for use with Windows Defender Application Control (WDAC
 
 | **Example Base Policy** | **Description** | **Where it can be found** |
 |-------------------------|---------------------------------------------------------------|--------|
-| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
+| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
 | **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
 | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
 | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 23e85b02c4..53ab972b90 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -27,7 +27,7 @@ ms.topic: overview
 | Capability  | Windows Defender Application Control | AppLocker   |
 |-------------|------|-------------|
 | Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later.  | Available on Windows 8 or later.   |
-| SKU availability     | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies deployed through GP are only supported on Enterprise and Server editions.<br>Policies deployed through MDM are supported on all editions. |
+| SKU availability     | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul>|
 | Management solutions   | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
 | Per-User and Per-User group rules | Not available (policies are device-wide).  | Available on Windows 8+.  |
 | Kernel mode policies  | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png
deleted file mode 100644
index dac1240786..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png
deleted file mode 100644
index 6d265509ea..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png
deleted file mode 100644
index cefb124344..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png
deleted file mode 100644
index 938e397751..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png
deleted file mode 100644
index 3c93b2b948..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png
deleted file mode 100644
index e3729e8214..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png
deleted file mode 100644
index 782c2017ae..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png
deleted file mode 100644
index b9a4b1881f..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png
deleted file mode 100644
index 25f73eb190..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png
deleted file mode 100644
index 3a33c13350..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png
deleted file mode 100644
index 12ec2b924f..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png
deleted file mode 100644
index 5cdb4cf3c4..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png
deleted file mode 100644
index 8ef2d0e3ce..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png
deleted file mode 100644
index f201956d4d..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png
deleted file mode 100644
index 0c5eacc3f9..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png
deleted file mode 100644
index 98e5507000..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png
deleted file mode 100644
index 1b5483103b..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png
deleted file mode 100644
index c37d55910d..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png
deleted file mode 100644
index e132440266..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png
deleted file mode 100644
index cbd0366eff..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png
deleted file mode 100644
index 4d8325baa6..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png
deleted file mode 100644
index e5ae089d6b..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png
deleted file mode 100644
index 55f5173b03..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png
deleted file mode 100644
index 67df953a08..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index e0b383d280..7acb0c4301 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -11,6 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 author: jgeurten
 ms.reviewer: jsuther
 ms.author: vinpa
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 6ac671b28d..9f5f66cd38 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -11,6 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 author: vinaypamnani-msft
 ms.reviewer: isbrahm
 ms.author: vinpa
@@ -38,7 +39,7 @@ In most organizations, information is the most valuable asset, and ensuring that
 
 Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
 
-Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
+Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
 
 > [!NOTE]
 > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
deleted file mode 100644
index 363648cbc0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
deleted file mode 100644
index eec35c6dcf..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png
deleted file mode 100644
index abf5a30659..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
deleted file mode 100644
index a3773ffe67..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Manage Windows Security in Windows 10 in S mode
-description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance.
-keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 04/30/2018
-ms.reviewer: 
-manager: aaroncz
-ms.technology: itpro-security
-ms.topic: how-to
----
-
-# Manage Windows Security in Windows 10 in S mode
-
-**Applies to**
-
-- Windows 10 in S mode, version 1803
-
-Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
-
-The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
-:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png":::
-
-For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
-
-## Managing Windows Security settings with Intune
-
-In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts.
-
-For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 3f25837b24..41b535c96b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -11,6 +11,7 @@ manager: aaroncz
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.date: 12/31/2017
 ms.topic: article
 ---
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png
deleted file mode 100644
index 99e8cb1384..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png
deleted file mode 100644
index fbd6a798b0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png
deleted file mode 100644
index 865af86b19..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index f605793303..6c14ed44e0 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
 - Windows 11
 - Windows 10
 
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
+This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
 
 > [!NOTE]
 > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@@ -76,7 +76,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
 ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
 
 > [!NOTE]
 > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 4aeb22b1f0..c1666220e4 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index c3caab02c2..b607d65908 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: article
 ms.technology: itpro-security
 appliesto: 
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index f8f7c3977f..8fcc33e6d3 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index ea3861bad7..2f4b0c3d20 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
@@ -51,11 +52,13 @@ This topic describes how to create a standard port rule for a specified protocol
 
 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
 
-   >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+   > [!Note]
+   > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
 5. On the **Program** page, click **All programs**, and then click **Next**.
 
-   >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
+   > [!Note]
+   > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
 
 6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
 
@@ -71,6 +74,7 @@ This topic describes how to create a standard port rule for a specified protocol
 
 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 
-   >**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type.
+   > [!Note]
+   > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
    
 10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 4782bb53e2..27f549300c 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -24,9 +24,9 @@ ms.date: 12/31/2017
 >[!IMPORTANT]
 >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-To get started, Open the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type. 
+To get started, Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type. 
 Select Windows Defender Firewall.
-:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Endpoint Manager admin center.":::
+:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Intune admin center.":::
 
 >[!IMPORTANT]
 >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 77ea069a39..cce89be934 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -9,6 +9,7 @@ author: paolomatarazzo
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
deleted file mode 100644
index 759c9f4ce3..0000000000
--- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
-description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/08/2021
-ms.technology: itpro-security
-appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
-  - ✅ <b>Windows Server 2016</b>
-  - ✅ <b>Windows Server 2019</b>
-  - ✅ <b>Windows Server 2022</b>
----
-
-# Evaluating Windows Defender Firewall with Advanced Security Design Examples
-
-
-The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
-
--   [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
-
--   [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
-
--   [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
-
--   [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
-
diff --git a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif
deleted file mode 100644
index 5c7dfb0ebc..0000000000
Binary files a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif and /dev/null differ
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 0dead272e0..7bd82a831e 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -9,6 +9,7 @@ author: paolomatarazzo
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
deleted file mode 100644
index 430a461918..0000000000
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Procedures Used in This Guide (Windows)
-description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/08/2021
-ms.technology: itpro-security
-appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
-  - ✅ <b>Windows Server 2016</b>
-  - ✅ <b>Windows Server 2019</b>
-  - ✅ <b>Windows Server 2022</b>
----
-
-# Procedures Used in This Guide
-
-
-The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
-
-- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-
-- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-
-- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-
-- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-
-- [Configure Authentication Methods](configure-authentication-methods.md)
-
-- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-
-- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-
-- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-
-- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-
-- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)
-
-- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-
-- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-
-- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-
-- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-
-- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-
-- [Create a Group Policy Object](create-a-group-policy-object.md)
-
-- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-
-- [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-
-- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-
-- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-
-- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-
-- [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-
-- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-
-- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-
-- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-
-- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-
-- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-
-- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-
-- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-
-- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-
-- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-
-- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md)
-
-- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
-
-- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
-
-- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
-
-- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 56c5f70707..13cf7bd61a 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -8,6 +8,7 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.reviewer: jekrynit
@@ -36,7 +37,7 @@ The Windows Defender Firewall with Advanced Security MMC snap-in is more flexibl
 
 ## Feature description
 
-Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy.
 
 ## Practical applications
 
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index ecb03506c1..c79a189b61 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -10,6 +10,8 @@ ms.localizationpriority: medium
 ms.date: 11/4/2022
 ms.reviewer: paoloma
 ms.technology: itpro-security
+ms.collection:
+    - tier3
 ---
 
 # Common Criteria certifications
diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png
deleted file mode 100644
index 94be89b74f..0000000000
Binary files a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index a6ce54113b..4ff1d859be 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -7,6 +7,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 6/30/2022
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 3987f694a9..6e2f83d198 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -7,6 +7,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 6/30/2022
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png
deleted file mode 100644
index 242f5dd9bc..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index b08b62f673..bac325bbe0 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -8,6 +8,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 02/14/2022
 ms.reviewer: rmunck
@@ -20,7 +21,7 @@ ms.technology: itpro-security
 
 The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
 
-The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
 <p></p>
 
 The Security Compliance Toolkit consists of:
@@ -74,9 +75,9 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu
 
 LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. 
 Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. 
-LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. 
+LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. 
 It can export local policy to a GPO backup. 
-It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
 Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 0c513379b1..807e2e2800 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -8,6 +8,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 01/26/2022
 ms.reviewer: jmunck
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index 64689039a1..ad5c50ecc7 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -1,7 +1,6 @@
 ---
 title: Secure Boot and Trusted Boot
 description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-search.appverid: MET150
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: conceptual
 ms.date: 09/21/2021
 ms.prod: windows-client
 ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection: 
-ms.custom: 
 ms.reviewer: jsuther
 ---
 
@@ -25,11 +21,11 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
 
 The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
 
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with. 
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. 
 
 ## Trusted Boot
 
-Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
 
 Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ac2853f72a..a436940952 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -165,7 +165,7 @@ Windows Hello enhancements include:
 
 ### Microsoft Intune family of products
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
 
 ### Configuration Manager
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 9b27125a3b..297b322ba9 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -73,7 +73,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic
 
 ### Microsoft Intune family of products
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
 
 ### Windows 10 Pro and Enterprise in S mode
 
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 118d9441cc..4e17202352 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -71,7 +71,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep
 Enhancements to Windows Autopilot since the last release of Windows 10 include:
 - [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
 - [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
+- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
 
 ### Windows Assessment and Deployment Toolkit (ADK)
 
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
deleted file mode 100644
index bdfa205f5c..0000000000
--- a/windows/whats-new/windows-10-insider-preview.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Documentation for Windows 10 Insider Preview (Windows 10)
-description: Preliminary documentation for some Windows 10 features in Insider Preview.
-ms.prod: windows-client
-author: dansimp
-ms.date: 04/14/2017
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.technology: itpro-fundamentals
----
-
-# Documentation for Windows 10 Insider Preview
-
->[!NOTE]
-> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently.
-
-
-
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 38dd1a3030..2147e2d0ce 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -73,7 +73,7 @@ The recommended method to determine if your infrastructure, deployment processes
 
 As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
 - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet.
-- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 
+- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 
 - Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). 
 
 For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664).