pull from pm-20240206-docfx

.openpublishing.redirection.windows-configuration.json

@@ -487,7 +487,7 @@
     },
     {
       "source_path": "windows/configuration/lockdown-features-windows-10.md",
-      "redirect_url": "/windows/configuration/kiosk/lockdown-features-windows-10",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
       "redirect_document_id": false
     },
     {
@@ -574,6 +574,16 @@
       "source_path": "windows/configuration/windows-spotlight.md",
       "redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/kiosk/lockdown-features-windows-10.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/kiosk/lockdown-features-windows-10",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md",
+      "redirect_url": "/windows/configuration/kiosk/find-aumid",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/edu-stickers.md

@@ -36,7 +36,6 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
    | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
 [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
 
 > [!TIP]
 > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
@@ -52,14 +51,13 @@ Content-Type: application/json
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
+[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
 
 | Setting |
 |--------|
 | <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
 
-Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
+[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
-
 ---
 
 ## How to use Stickers
@@ -76,8 +74,3 @@ Multiple stickers can be added from the picker by selecting them. The stickers c
 :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
 
 Select the *X button* at the top of the screen to save your progress and close the sticker editor.
-
-[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
-
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

education/windows/edu-take-a-test-kiosk-mode.md

@@ -68,7 +68,6 @@ To configure devices using Intune for Education, follow these steps:
 :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
 
 [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -85,7 +84,7 @@ Create a provisioning package using the Set up School PCs app, configuring the s
 
 ### Create a provisioning package using Windows Configuration Designer
 
-[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
+[!INCLUDE [provisioning-package-1](../../includes/configure/provisioning-package-1.md)]
 
 | Setting |
 |--------|
@@ -99,22 +98,11 @@ Create a provisioning package using the Set up School PCs app, configuring the s
 
 :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::
 
-Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
+[!INCLUDE [provisioning-package-2](../../includes/configure/provisioning-package-2.md)]
 
 #### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
 
-Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+[!INCLUDE [powershell-wmi-bridge-1](../../includes/configure/powershell-wmi-bridge-1.md)]
-
-> [!TIP]
-> PowerShell scripts can be executed as scheduled tasks via Group Policy.
-
-> [!IMPORTANT]
-> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
->
-> To test a PowerShell script, you can:
-> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
-> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
-> 1. Run the script in the PowerShell session
 
 Edit the following sample PowerShell script to:
 
@@ -171,6 +159,8 @@ $cimObject.HideFastUserSwitching = 1
 Set-CimInstance -CimInstance $cimObject
 ```
 
+[!INCLUDE [powershell-wmi-bridge-2](../../includes/configure/powershell-wmi-bridge-2.md)]
+
 #### [:::image type="icon" source="images/icons/settings.svg"::: **Settings app**](#tab/settings)
 
 To create a local account, and configure Take a Test in kiosk mode using the Settings app:

includes/configure/intune-custom-settings-1.md

@@ -6,11 +6,4 @@ ms.topic: include
 ms.service: windows-client
 ---
 
-To configure devices with Microsoft Intune, use a custom policy:
+To configure devices with Microsoft Intune, [create a custom policy](/mem/intune/configuration/custom-settings-windows-10) and use the following settings:
-
-1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description > Next**
-6. Add the following settings:

includes/configure/intune-custom-settings-2.md

@@ -6,7 +6,4 @@ ms.topic: include
 ms.service: windows-client
 ---
 
-7. Select **Next**
+Assign the policy to a group that contains as members the devices or users that you want to configure.
-8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-9. Under **Applicability Rules**, select **Next**
-10. Review the policy configuration and select **Create**

includes/configure/intune-custom-settings-info.md

@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 08/15/2023
-ms.topic: include
-ms.service: windows-client
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).

includes/configure/powershell-wmi-bridge-1.md

@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
+
+> [!IMPORTANT]
+> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
+
+To test the PowerShell script, you can:
+
+1. [Download the psexec tool](/sysinternals/downloads/psexec)
+1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
+1. Run the script in the PowerShell session

includes/configure/powershell-wmi-bridge-2.md

@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).

includes/insider/insider-note.md

@@ -7,7 +7,7 @@ ms.date: 01/11/2024
 
 :::row:::
 :::column span="1":::
-:::image type="content" source="insider.png" alt-text="Logo of Windows Insider." border="false":::
+:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
 :::column-end:::
 :::column span="3":::
 > [!IMPORTANT]

windows/configuration/images/icons/explorer.svg

@@ -0,0 +1,88 @@
+<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_37_2817)">
+<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint0_linear_37_2817)"/>
+<mask id="mask0_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="1" width="18" height="16">
+<path d="M17.116 3H7.14404L6.4748 2.16348C6.30918 1.95645 6.09912 1.78933 5.86016 1.67448C5.62121 1.55963 5.35948 1.5 5.09436 1.5H0.89175C0.657331 1.50001 0.432516 1.59314 0.266759 1.7589C0.101002 1.92466 0.00787898 2.14948 0.007875 2.3839V3H0V15.6272C0.00147129 15.8601 0.0954272 16.083 0.261198 16.2466C0.42697 16.4103 0.650977 16.5015 0.883943 16.5H17.116C17.349 16.5015 17.573 16.4103 17.7388 16.2466C17.9046 16.0829 17.9985 15.8601 18 15.6272V3.87282C17.9985 3.63986 17.9045 3.41704 17.7388 3.25335C17.573 3.08967 17.349 2.99854 17.116 3Z" fill="url(#paint1_linear_37_2817)"/>
+</mask>
+<g mask="url(#mask0_37_2817)">
+<g filter="url(#filter0_dd_37_2817)">
+<path d="M15.375 4.5H1.125C0.50368 4.5 0 5.00368 0 5.625V8.625C0 9.24632 0.50368 9.75 1.125 9.75H15.375C15.9963 9.75 16.5 9.24632 16.5 8.625V5.625C16.5 5.00368 15.9963 4.5 15.375 4.5Z" fill="#C4C4C4"/>
+</g>
+</g>
+<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint2_linear_37_2817)"/>
+<path opacity="0.3" d="M17.1161 3.75076H7.72883C7.44177 3.74115 7.15906 3.82284 6.92137 3.98408C6.43763 4.34022 5.84803 4.52305 5.24767 4.50308H0.883943C0.767861 4.50308 0.652915 4.52594 0.54567 4.57037C0.438425 4.61479 0.340979 4.6799 0.258898 4.76199C0.176816 4.84407 0.111706 4.94152 0.0672838 5.04876C0.0228621 5.15601 -9.84791e-07 5.27095 1.27287e-10 5.38703L1.27287e-10 6.13703C-1.96976e-06 6.02095 0.0228605 5.90601 0.0672821 5.79876C0.111704 5.69152 0.176814 5.59407 0.258896 5.51199C0.340978 5.42991 0.438424 5.3648 0.54567 5.32037C0.652916 5.27595 0.767861 5.25309 0.883943 5.25309H5.37891C6.01545 5.25927 6.63978 5.07825 7.17428 4.73251C7.4098 4.57627 7.6873 4.49544 7.96988 4.50076H17.116C17.2321 4.50075 17.3471 4.5236 17.4543 4.56802C17.5616 4.61243 17.659 4.67754 17.7411 4.75962C17.8232 4.8417 17.8883 4.93914 17.9327 5.04639C17.9771 5.15363 18 5.26858 18 5.38466V4.63466C18 4.51858 17.9771 4.40364 17.9327 4.2964C17.8883 4.18916 17.8232 4.09172 17.7411 4.00964C17.6591 3.92756 17.5616 3.86246 17.4544 3.81804C17.3471 3.77362 17.2322 3.75076 17.1161 3.75076V3.75076Z" fill="url(#paint3_linear_37_2817)"/>
+<mask id="mask1_37_2817" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="0" y="3" width="18" height="15">
+<path d="M7.72545 3.75004C7.43133 3.74413 7.1429 3.83149 6.9015 3.99961C6.45374 4.32633 5.91378 4.50239 5.3595 4.50238H0.883928C0.649495 4.50238 0.424665 4.59551 0.258896 4.76128C0.0931278 4.92705 0 5.15188 0 5.38631L0 16.3662C1.98897e-05 16.6006 0.0931558 16.8254 0.258922 16.9912C0.424687 17.1569 0.649506 17.25 0.883928 17.25H17.116C17.3505 17.25 17.5753 17.1569 17.7411 16.9912C17.9068 16.8254 18 16.6006 18 16.3662V4.63396C18 4.51788 17.9771 4.40294 17.9327 4.2957C17.8883 4.18845 17.8232 4.09101 17.7411 4.00893C17.659 3.92684 17.5616 3.86174 17.4543 3.81732C17.3471 3.7729 17.2321 3.75003 17.116 3.75004H7.72545Z" fill="url(#paint4_linear_37_2817)"/>
+</mask>
+<g mask="url(#mask1_37_2817)">
+<g filter="url(#filter1_dd_37_2817)">
+<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint5_linear_37_2817)"/>
+</g>
+</g>
+<path d="M5.25 12H12.75C13.3467 12 13.919 12.2371 14.341 12.659C14.7629 13.081 15 13.6533 15 14.25V17.25H3V14.25C3 13.6533 3.23705 13.081 3.65901 12.659C4.08097 12.2371 4.65326 12 5.25 12V12Z" fill="url(#paint6_linear_37_2817)"/>
+<path d="M12.375 14.25H5.625C5.41789 14.25 5.25 14.4179 5.25 14.625C5.25 14.8321 5.41789 15 5.625 15H12.375C12.5821 15 12.75 14.8321 12.75 14.625C12.75 14.4179 12.5821 14.25 12.375 14.25Z" fill="#114A8B"/>
+</g>
+<defs>
+<filter id="filter0_dd_37_2817" x="-1.5" y="3" width="19.5" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
+<feFlood flood-opacity="0" result="BackgroundImageFix"/>
+<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
+<feOffset/>
+<feGaussianBlur stdDeviation="0.25"/>
+<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
+<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
+<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
+<feOffset/>
+<feGaussianBlur stdDeviation="0.75"/>
+<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
+<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
+<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
+</filter>
+<filter id="filter1_dd_37_2817" x="1.5" y="10.5" width="15" height="8.25" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
+<feFlood flood-opacity="0" result="BackgroundImageFix"/>
+<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
+<feOffset/>
+<feGaussianBlur stdDeviation="0.25"/>
+<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
+<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_37_2817"/>
+<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
+<feOffset/>
+<feGaussianBlur stdDeviation="0.75"/>
+<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
+<feBlend mode="normal" in2="effect1_dropShadow_37_2817" result="effect2_dropShadow_37_2817"/>
+<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_37_2817" result="shape"/>
+</filter>
+<linearGradient id="paint0_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
+<stop offset="0.1135" stop-color="#D18B00"/>
+<stop offset="0.6162" stop-color="#E09F00"/>
+</linearGradient>
+<linearGradient id="paint1_linear_37_2817" x1="13.1828" y1="16.9947" x2="4.5833" y2="2.10007" gradientUnits="userSpaceOnUse">
+<stop offset="0.1135" stop-color="#D18B00"/>
+<stop offset="0.6162" stop-color="#E09F00"/>
+</linearGradient>
+<linearGradient id="paint2_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
+<stop stop-color="#F5B300"/>
+<stop offset="0.5" stop-color="#FFCB3C"/>
+<stop offset="1" stop-color="#FFD762"/>
+</linearGradient>
+<linearGradient id="paint3_linear_37_2817" x1="1.27287e-10" y1="4.94352" x2="18" y2="4.94352" gradientUnits="userSpaceOnUse">
+<stop stop-color="white"/>
+<stop offset="1" stop-color="white" stop-opacity="0"/>
+</linearGradient>
+<linearGradient id="paint4_linear_37_2817" x1="13.9722" y1="19.1122" x2="4.62611" y2="2.92425" gradientUnits="userSpaceOnUse">
+<stop stop-color="#F5B300"/>
+<stop offset="0.5" stop-color="#FFCB3C"/>
+<stop offset="1" stop-color="#FFD762"/>
+</linearGradient>
+<linearGradient id="paint5_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0062B4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<linearGradient id="paint6_linear_37_2817" x1="10.7628" y1="18.5014" x2="6.59164" y2="11.2768" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0062B4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<clipPath id="clip0_37_2817">
+<rect width="18" height="18" fill="white"/>
+</clipPath>
+</defs>
+</svg>

windows/configuration/kiosk/find-aumid.md

@@ -1,15 +1,24 @@
 ---
 title: Find the Application User Model ID of an installed app
-description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
+description: Learn how to find the Application User Model ID (AUMID) of the appications installed on a Windows device.
-ms.topic: article
+ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 02/05/2023
 ---
 
 # Find the Application User Model ID of an installed app
 
-To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry.
+Windows uses Application User Model Id (AUMID, also known as AppId) values to identify and differentiate applications for switching, launching, telemetry, and other functions.\
+AUMID are unique to each installed application, and independent of the installation path or the application's display name.
 
-## To find the AUMID by using Windows PowerShell
+To configure Assigned Access, you must use the AUMID of the apps installed on a device. This article describes how to find the AUMID of an installed app.
+
+## How to find the AUMID
+
+You can find an application's AUMID by using Windows PowerShell, File Explorer, or the registry.
+
+Follow the instructions to retrieve AUMIDs, selecting the tool of your choice.
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
 
 To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
 
@@ -36,17 +45,49 @@ $aumidList
 
 You can add the `-user <username>` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters.
 
-## To find the AUMID by using File Explorer
+<!-- new
+
+In PowerShell Get-StartApps will list the AUMID values for apps that appear in the start menu (those that are hidden don't appear).
+
+```powershell
+$apps = Get-AppxPackage *calc* # remove param to see *all*
+foreach ($app in $apps) {
+    $man = Get-AppxPackageManifest $app
+    $appIds = $man.Package.Applications.Application.Id
+    foreach ($id in $appIds) {
+        "$($app.PackageFamilyName)!$id"
+    }
+}
+```
+
+Powershell to display the AppId for the calc application (a packaged UWP App).
+
+```powershell
+$apps = Get-AppxPackage *calc* # remove param to see *all*
+foreach ($app in $apps) {
+    $man = Get-AppxPackageManifest $app
+    $appIds = $man.Package.Applications.Application.Id
+    foreach ($id in $appIds) {
+        "$($app.PackageFamilyName)!$id"
+    }
+}
+```
+-->
+
+#### [:::image type="icon" source="../images/icons/explorer.svg"::: **Explorer**](#tab/explorer)
+
+Start.Run… shell:appsfolder to open File Explorer on the AppsFolder.
 
 To get the names and AUMIDs for all apps installed for the current user, perform the following steps:
 
-1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
+1. Select **Start** > **Run**, enter `shell:Appsfolder`, and select **OK**
-1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
+1. A File Explorer window opens. Press <kbd>Alt</kbd>+<kbd>V</kbd> > **Choose details**
-1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
+1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to c
+1. Change the **View** setting from **Tiles** to **Details**
 
-![Image of the Choose Details options.](images/aumid-file-explorer.png)
+:::image type="content" source="images/aumid-file-explorer.png" alt-text="Screenshot of the File Explorer showing the AUMID details." border="false":::
 
-## To find the AUMID of an installed app for the current user by using the registry
+#### [:::image type="icon" source="../images/icons/registry.svg"::: **Registry**](#tab/registry)
 
 Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
 
@@ -56,6 +97,8 @@ At a command prompt, type the following command:
 reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"
 ```
 
+---
+
 ### Example to get AUMIDs of the installed apps for the specified user
 
 The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.

windows/configuration/kiosk/includes/quickstart-restricted-experience-xml.md

@@ -0,0 +1,59 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 02/05/2024
+ms.topic: include
+ms.prod: windows-client
+---
+
+```xml
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
+    xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
+    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
+    xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
+    xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
+    <Profiles>
+        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+            <AllAppsList>
+                <AllowedApps>
+                    <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+                    <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
+                    <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
+                    <App DesktopAppPath="%windir%\explorer.exe" />
+                    <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
+                    <App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
+                </AllowedApps>
+            </AllAppsList>
+            <rs5:FileExplorerNamespaceRestrictions>
+                <rs5:AllowedNamespace Name="Downloads"/>
+                <v3:AllowRemovableDrives/>
+            </rs5:FileExplorerNamespaceRestrictions>
+            <win11:StartPins>
+                <![CDATA[{
+                    "pinnedList":[
+                        {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
+                        {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
+                        {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
+                        {"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
+                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
+                    ]
+                }]]>
+            </win11:StartPins>
+            <Taskbar ShowTaskbar="true"/>
+        </Profile>
+    </Profiles>
+    <Configs>
+        <Config>
+            <AutoLogonAccount rs5:DisplayName="Library Kiosk"/>
+            <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+        </Config>
+    </Configs>
+</AssignedAccessConfiguration>
+```

windows/configuration/kiosk/kiosk-prepare.md

@@ -250,7 +250,7 @@ The following table describes some features that have interoperability issues we
   | <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Esc</kbd>  | Cycle through items in the reverse order from which they were opened. |
   | <kbd>Ctrl</kbd> + <kbd>Esc</kbd> | Open the Start screen. |
   | <kbd>Ctrl</kbd> + <kbd>F4</kbd> | Close the window. |
-  | <kbd>Ctrl</kbd> + <kbd>Shift</kbd  + <kbd>Esc</kbd>  | Open Task Manager. |
+  | <kbd>Ctrl</kbd> + <kbd>Shift</kbd>  + <kbd>Esc</kbd>  | Open Task Manager. |
   | <kbd>Ctrl</kbd> + <kbd>Tab</kbd> | Switch windows within the application currently open. |
   | LaunchApp1 | Open the app that is assigned to this key. |
   | LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
@@ -260,16 +260,16 @@ The following table describes some features that have interoperability issues we
   Keyboard Filter settings apply to other standard accounts.
 
 - **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
-  [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
+  [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education
-- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
+- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access
-  For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
+  For more information on removing the power button or disabling the physical power button, see [Custom Logon][WHW-1]
-- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
+- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access
-  For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
+  For more information, see [Unified Write Filter][WHW-2]
 - **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
-  If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
+  If you need to use assigned access API, see [WEDL_AssignedAccess][WHW-3]
-- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
+- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own
 
-For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
+For more information, see [Custom Logon][WHW-1].
 
 ## Testing your kiosk in a virtual machine (VM)
 
@@ -277,10 +277,13 @@ Customers sometimes use virtual machines (VMs) to test configurations before dep
 
 A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
 
-When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
+> [!NOTE]
+> When you connect to a VM configured as a single-app kiosk, you must use a *basic session* rather than an *enhanced session*. For more information, see [Check session type][VIR-1].
 
-:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
+<!--links-->
 
-To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
+[VIR-1]: /virtualization/hyper-v-on-windows/user-guide/enhanced-session-mode#check-session-type
+[WHW-1]: /windows-hardware/customize/enterprise/custom-logon
+[WHW-2]: /windows-hardware/customize/enterprise/unified-write-filter
+[WHW-3]: /windows-hardware/customize/enterprise/wedl-assignedaccess
 
-:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::

windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md

@@ -2,6 +2,8 @@
 title: Set up a multi-app kiosk on Windows 11
 description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps.
 ms.date: 05/12/2023
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 
 ms.topic: how-to
 ---

windows/configuration/kiosk/lockdown-features-windows-10.md

@@ -1,28 +0,0 @@
----
-title: Lockdown features from Windows Embedded 8.1 Industry
-description: Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
-ms.topic: article
-appliesto:
-- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
----
-
-# Lockdown features from Windows Embedded 8.1 Industry
-
-Many of the lockdown feature available in Windows Embedded 8.1 Industry have been modified in some form for Windows 1. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
-
-|Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes|
-|--- |--- |--- |
-|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.|
-|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.|
-|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 151. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
-|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 1. It's now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
-|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.|
-|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 1. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
-|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of noncritical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.<br>Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.|
-|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.|
-|[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.<br> <br> Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.|
-|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 1. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and noncritical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
-|[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.|
-|[Custom sign in](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign out, and shut down|[Embedded sign in](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|
-|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|

windows/configuration/kiosk/quickstart-restricted-experience.md

@@ -0,0 +1,176 @@
+---
+title: "Quickstart: Configure a restricted user experience"
+description: Learn how to configure a restricted user experience using Windows Configuration Designer, Microsoft Intune, PowerShell or GPO.
+ms.topic: quickstart
+ms.date: 02/05/2024
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+---
+
+# Quickstart: Configure a restricted user experience
+
+With a *restricted user experience*, you can control the applications allowed in a locked down Windows desktop.
+
+This quickstart provides practical examples of how to configure a restricted user experience on Windows 11. The examples describe the steps using a mobile device management solution (MDM) like Microsoft Intune, provisioning packages (PPKG), and PowerShell. While different solutions are used, the configuration settings and results are the same.
+
+The examples can be modified to fit your specific requirements. For example, you can add or remove applications from the list of allowed apps, or change the name of the user that automatically signs in to Windows.
+
+## Prerequisites
+
+>[!div class="checklist"]
+>Here's a list of requirements to complete this quickstart:
+>
+>- A Windows 11 device
+>- Microsoft Intune, or a non-Microsoft MDM solution, if you want to configure the settings using MDM
+>- Windows Configuration Designer, if you want to configure the settings using a provisioning package
+>- Access to the [psexec tool](/sysinternals/downloads/psexec), if you want to test the configuration using Windows PowerShell
+
+## Configure a restricted user experience
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
+
+> [!TIP]
+> Use the following Graph call to automatically create a custom policy in your Microsoft Intune tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example", "description": "Collection of settings for Assigned Access", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<AssignedAccessConfiguration xmlns=\"http://schemas.microsoft.com/AssignedAccess/2017/config\"\n    xmlns:rs5=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n    xmlns:v2=\"http://schemas.microsoft.com/AssignedAccess/201810/config\"\n    xmlns:v3=\"http://schemas.microsoft.com/AssignedAccess/2020/config\"\n    xmlns:v5=\"http://schemas.microsoft.com/AssignedAccess/2022/config\"\n    xmlns:win11=\"http://schemas.microsoft.com/AssignedAccess/2022/config\"\n    >\n    <Profiles>\n        <Profile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\">\n            <AllAppsList>\n                <AllowedApps>\n                    <App AppUserModelId=\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\" />\n                    <App AppUserModelId=\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\" />\n                    <App AppUserModelId=\"Microsoft.BingWeather_8wekyb3d8bbwe!App\" />\n                    <App DesktopAppPath=\"C:\\Windows\\system32\\cmd.exe\" />\n                    <App DesktopAppPath=\"%windir%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe\" />\n                    <App DesktopAppPath=\"%windir%\\explorer.exe\" />\n                    <App AppUserModelId=\"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\" />\n                    <App AppUserModelId=\"%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe\" />\n                </AllowedApps>\n            </AllAppsList>\n            <rs5:FileExplorerNamespaceRestrictions>\n                <rs5:AllowedNamespace Name=\"Downloads\"/>\n                <v3:AllowRemovableDrives/>\n            </rs5:FileExplorerNamespaceRestrictions>\n            <win11:StartPins>\n                <![CDATA[{\n                    \"pinnedList\":[\n                        {\"packagedAppId\":\"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\"},\n                        {\"packagedAppId\":\"Microsoft.Windows.Photos_8wekyb3d8bbwe!App\"},\n                        {\"packagedAppId\":\"Microsoft.BingWeather_8wekyb3d8bbwe!App\"},\n                        {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\System Tools\\\\Command Prompt.lnk\"},\n                        {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Windows PowerShell\\\\Windows PowerShell.lnk\"},\n                        {\"desktopAppLink\":\"%APPDATA%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\File Explorer.lnk\"},\n                        {\"packagedAppId\": \"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\"},\n                        {\"desktopAppLink\": \"%ALLUSERSPROFILE%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Microsoft Edge.lnk\"}\n                    ]\n                }]]>\n            </win11:StartPins>\n            <Taskbar ShowTaskbar=\"true\"/>\n        </Profile>\n    </Profiles>\n    <Configs>\n        <Config>\n            <AutoLogonAccount rs5:DisplayName=\"Library Kiosk\"/>\n            <DefaultProfile Id=\"{9A2A490F-10F6-4764-974A-43B19E722C23}\"/>\n        </Config>\n    </Configs>\n</AssignedAccessConfiguration>" } ] }
+```
+
+[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][MEM-1] with the [AssignedAccess CSP][WIN-3].
+
+- **Setting:** `./Vendor/MSFT/AssignedAccess/Configuration`
+- **Value:**
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
+#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
+
+- **Path:** `AssignedAccess/MultiAppAssignedAccessSettings`
+- **Value:**
+
+[!INCLUDE [quickstart-restricted-experience-xml](includes/quickstart-restricted-experience-xml.md)]
+
+[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
+
+#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/ps)
+
+[!INCLUDE [powershell-wmi-bridge-1](../../../includes/configure/powershell-wmi-bridge-1.md)]
+
+```powershell
+$eventLogFilterHashTable = @{
+    ProviderName = "Microsoft-Windows-AssignedAccess";
+    StartTime    = Get-Date -Millisecond 0
+}
+
+$namespaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
+    xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
+    xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
+    xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
+    xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
+    <Profiles>
+        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+            <AllAppsList>
+                <AllowedApps>
+                    <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+                    <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+                    <App DesktopAppPath="C:\Windows\system32\cmd.exe" />
+                    <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
+                    <App DesktopAppPath="%windir%\explorer.exe" />
+                    <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
+                    <App AppUserModelId="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
+                </AllowedApps>
+            </AllAppsList>
+            <rs5:FileExplorerNamespaceRestrictions>
+                <rs5:AllowedNamespace Name="Downloads"/>
+                <v3:AllowRemovableDrives/>
+            </rs5:FileExplorerNamespaceRestrictions>
+            <win11:StartPins>
+                <![CDATA[{
+                    "pinnedList":[
+                        {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
+                        {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
+                        {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"},
+                        {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
+                        {"packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},
+                        {"desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
+                    ]
+                }]]>
+            </win11:StartPins>
+            <Taskbar ShowTaskbar="true"/>
+        </Profile>
+    </Profiles>
+    <Configs>
+        <Config>
+            <AutoLogonAccount rs5:DisplayName="Library Kiosk"/>
+            <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+        </Config>
+    </Configs>
+</AssignedAccessConfiguration>
+"@)
+
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+if($cimSetError) {
+    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
+    Write-Error -ErrorRecord $cimSetError[0]
+
+    $timeout = New-TimeSpan -Seconds 30
+    $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+    do{
+        $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
+    } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
+
+    if($events.Count) {
+        $events | ForEach-Object {
+            Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
+        }
+    } else {
+        Write-Warning "Timed-out attempting to retrieve event logs..."
+    }
+
+    Exit 1
+}
+
+Write-Output "Successfully applied Assigned Access configuration"
+```
+
+[!INCLUDE [powershell-wmi-bridge-2](../../../includes/configure/powershell-wmi-bridge-2.md)]
+
+---
+
+## User experience
+
+After the settings are applied, reboot the device. A user account named `Library Kiosk` is automatically signed in, with access to a limited set of applications, which are pinned to the Start menu.
+
+:::image type="content" source="images/quickstart-restricted-experience.png" alt-text="Screenshot of the Windows desktop used for the quickstart." border="false":::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn more how to configure Windows to execute as a restricted user experience:
+>
+> [Configure a restricted user experience](lock-down-windows-11-to-specific-apps.md)
+
+<!--links-->
+
+[WIN-3]: /windows/client-management/mdm/assignedaccess-csp
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

windows/configuration/kiosk/toc.yml

@@ -1,37 +1,47 @@
 items:
 - name: Overview
   href: kiosk-methods.md
+- name: Quickstarts
+  items:
+    - name: Configure a restricted user experience
+      href: quickstart-restricted-experience.md
+- name: Concepts
+  items:
     - name: Prepare a device for kiosk configuration
       href: kiosk-prepare.md
-- name: Set up digital signs
+- name: Deployment guides
-  href: setup-digital-signage.md
+  items:
-- name: Set up a single-app kiosk
+  - name: Configure digital signs
-  href: kiosk-single-app.md
+    href: setup-digital-signage.md
-- name: Set up a multi-app kiosk for Windows 10
+  - name: Configure a kiosk
-  href: lock-down-windows-10-to-specific-apps.md
+    href: kiosk-single-app.md
-- name: Set up a multi-app kiosk for Windows 11
+  - name: Configure a restricted user experience for Windows 10
-  href: lock-down-windows-11-to-specific-apps.md
+    href: lock-down-windows-10-to-specific-apps.md
-- name: Kiosk reference information
+  - name: Configure a restricted user experience for Windows 11
+    href: lock-down-windows-11-to-specific-apps.md
+- name: How-to guides
+  items:
+    - name: Find the AUMID of an installed app
+      href: find-aumid.md
+    - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
+      href: kiosk-mdm-bridge.md
+    - name: Use AppLocker to create a Windows 10 kiosk
+      href: lock-down-windows-10-applocker.md
+    - name: Use Shell Launcher to create a Windows client kiosk
+      href: kiosk-shelllauncher.md
+- name: Troubleshoot
   items:
-    - name: More kiosk methods and reference information
-      href: kiosk-additional-reference.md
-    - name: Find the Application User Model ID of an installed app
-      href: find-the-application-user-model-id-of-an-installed-app.md
     - name: Validate your kiosk configuration
       href: kiosk-validate.md
-    - name: Guidelines for choosing an app for assigned access (kiosk mode)
+    - name: Troubleshoot kiosk mode issues
+      href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
+- name: Rreference
+  items:
+    - name: Kiosk methods and reference information
+      href: kiosk-additional-reference.md
+    - name: Guidelines for choosing an app for assigned access
       href: guidelines-for-assigned-access-app.md
     - name: Policies enforced on kiosk devices
       href: kiosk-policies.md
     - name: Assigned access XML reference
       href: kiosk-xml.md
-    - name: Use AppLocker to create a Windows 10 kiosk
-      href: lock-down-windows-10-applocker.md
-    - name: Use Shell Launcher to create a Windows client kiosk
-      href: kiosk-shelllauncher.md
-    - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
-      href: kiosk-mdm-bridge.md
-    - name: Troubleshoot kiosk mode issues
-      href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
-- name: Lockdown features from Windows Embedded 8.1 Industry
-  href: lockdown-features-windows-10.md

windows/configuration/start/customize-and-export-start-layout.md

@@ -21,9 +21,6 @@ When a full Start layout is applied, the users can't pin, unpin, or uninstall ap
 
 When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups.
 
-> [!NOTE]
-> Partial Start layout is only supported on Windows 10, version 1511 and later.
-
 You can deploy the resulting .xml file to devices using one of the following methods:
 
 - [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
@@ -52,9 +49,7 @@ To customize Start:
     - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
 
 > [!IMPORTANT]
-> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
+> If the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
->
-> In earlier versions of Windows 10, no tile would be pinned.
 
 ### Export the Start layout
 
@@ -66,17 +61,13 @@ When you have the Start layout that you want your users to see, use the [Export-
 To export the Start layout to an .xml file:
 
 1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
-1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
+1. Run `Export-StartLayout` with the switch `-UseDesktopApplicationID`. For example:
-
-    `Export-StartLayout -path <path><file name>.xml`
-
-    On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example:
 
     ```PowerShell
     Export-StartLayout -UseDesktopApplicationID -Path layout.xml
     ```
 
-    In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
+    In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, `\\FileServer01\StartLayouts\StartLayoutMarketing.xml`).
 
     Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
 

windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md

@@ -22,8 +22,6 @@ This topic describes how to update Group Policy settings to display a customized
 
 ## Operating system requirements
 
-In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro.
-
 The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works

windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md

@@ -13,9 +13,6 @@ ms.date: 08/05/2021
 
 In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
->[!NOTE]
->Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
-
 **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization).
 
 >[!WARNING]

windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md

@@ -14,7 +14,7 @@ ms.date: 12/31/2017
 > [!NOTE]
 > Currently, using provisioning packages to customize the Start menu layout is supported on Windows 1. It's not supported on Windows 11.
 
-In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+You can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 > [!IMPORTANT]
 > If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.

windows/configuration/start/start-secondary-tiles.md

@@ -14,17 +14,11 @@ App tiles are the Start screen tiles that represent and launch an app. A tile th
 - Status and updates from an important contact in a social app
 - A website in Microsoft Edge
 
-In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo.
-
 Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
 
 ![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
 
-In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
+By using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles display the same as they did on the device from which you exported the Start layout.
-
-![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png)
-
-In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
 
 ![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
 
@@ -78,7 +72,6 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 
 1. In Windows PowerShell, enter the following command:
 
-
     ```powershell
     Export-StartLayoutEdgeAssets assets.xml
     ```
@@ -139,7 +132,6 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
 #### Create a provisioning package that contains a customized Start layout
 
 
-
 Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
 
 >[!IMPORTANT]

windows/configuration/start/windows-10-start-layout-options-and-policies.md

@@ -3,6 +3,8 @@ title: Customize and manage the Windows 10 Start and taskbar layout
 description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
 ms.topic: article
 ms.date: 08/05/2021
+appliesto:
+- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ---
 
 # Customize the Start menu and taskbar layout on Windows 10 and later devices
@@ -184,19 +186,6 @@ In a clean install, if you apply a taskbar layout, only the following apps are p
 
 After the layout is applied, users can pin more apps to the taskbar.
 
-### Taskbar configuration applied to Windows 10 upgrades
-
-When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
-
-On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
-
-- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
-- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
-- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
-- New apps specified in updated layout file are pinned to right of user's pinned apps.
-
-[Learn how to configure Windows 10 taskbar](../taskbar/configure-windows-10-taskbar.md).
-
 ## Start layout configuration errors
 
 If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events:

windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md

@@ -14,7 +14,7 @@ ms.topic: article
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against non-Microsoft-developed drivers across the Windows ecosystem with any of the following attributes:
 
 - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
 - Malicious behaviors (malware) or certificates used to sign malware

windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md

@@ -33,7 +33,7 @@ The security features of Windows combined with the benefits of a TPM offer pract
 
 Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
 
-Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
+Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or non-Microsoft hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
 
 The Platform Crypto Provider, introduced in the Windows 8, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
 
@@ -94,7 +94,7 @@ For software measurements, Device Encryption relies on measurements of the autho
 
 Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
 
-The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+The Windows boot process happens in stages and often involves non-Microsoft drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
 
 Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.
 

windows/security/identity-protection/credential-guard/considerations-known-issues.md

@@ -22,9 +22,9 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
 Use constrained or resource-based Kerberos delegation instead.
 
-## Third party Security Support Providers considerations
+## Non-Microsoft Security Support Providers considerations
 
-Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
+Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
 It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
 
 For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
@@ -197,7 +197,7 @@ For a more immediate, but less secure fix, [disable Credential Guard](configure.
 >
 > If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
 
-### Issues with third-party applications
+### Issues with non-Microsoft applications
 
 The following issue affects MSCHAPv2:
 

windows/security/identity-protection/credential-guard/how-it-works.md

@@ -25,7 +25,7 @@ Some ways to store credentials aren't protected by Credential Guard, including:
 - Key loggers
 - Physical attacks
 - Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization
-- Third-party security packages
+- Non-Microsoft security packages
 - When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
     > [!CAUTION]
     > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.

windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md

@@ -36,7 +36,7 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
 
 Key trust deployments don't need client-issued certificates for on-premises authentication. *Microsoft Entra Connect Sync* configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink` attribute).
 
-A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
+A Windows Server-based PKI or a non-Microsoft Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a non-Microsoft CA][SERV-1].
 
 [!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)]
 

windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md

@@ -8,12 +8,12 @@ ms.topic: include
 Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
 - certificates
-- third-party authentication providers for AD FS
+- non-Microsoft authentication providers for AD FS
 - custom authentication provider for AD FS
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
-For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
+For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
 
 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).

windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md

@@ -26,7 +26,7 @@ The certificate template is configured to supersede all the certificate template
 However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.
 
 > [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
 >To see all certificates in the NTAuth store, use the following command:
 >
 > `Certutil -viewstore -enterprise NTAuth`

windows/security/identity-protection/hello-for-business/deploy/index.md

@@ -112,11 +112,11 @@ Users can authenticate to Microsoft Entra ID using federated authentication or c
 |  | Deployment model | Trust type | Authentication to Microsoft Entra ID | Requirements |
 |--|--|--|--|--|
 | **🔲** | **Cloud-only** | n/a | Cloud authentication | n/a |
-| **🔲** | **Cloud-only** | n/a | Federated authentication | Third-party federation service |
+| **🔲** | **Cloud-only** | n/a | Federated authentication | Non-Microsoft federation service |
 | **🔲** | **Hybrid** | Cloud Kerberos trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
-| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or non-Microsoft federation service |
 | **🔲** | **Hybrid** | Key trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) |
-| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or third-party federation service |
+| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or non-Microsoft federation service |
 | **🔲** | **Hybrid** | Certificate trust | Federated authentication | This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS|
 
 To learn more:
@@ -143,7 +143,7 @@ For on-premises deployments, the server running the Active Directory Federation
 The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential:
 
 - For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1]
-- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2]
+- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see [Microsoft and non-Microsoft additional authentication methods][SER-2]
 
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
@@ -151,9 +151,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
 || Deployment model | MFA options |
 |--|--|--|
 | **🔲** | **Cloud-only** | Microsoft Entra MFA |
-| **🔲** | **Cloud-only** | Third-party MFA via Microsoft Entra ID custom controls or federation |
+| **🔲** | **Cloud-only** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation |
 | **🔲** | **Hybrid** | Microsoft Entra MFA |
-| **🔲** | **Hybrid** | Third-party MFA via Microsoft Entra ID custom controls or federation|
+| **🔲** | **Hybrid** | Non-Microsoft MFA via Microsoft Entra ID custom controls or federation|
 | **🔲** | **On-premises** | AD FS MFA adapter |
 
 For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4].
@@ -224,7 +224,7 @@ Windows Hello for Business provides a rich set of granular policy settings. Ther
 Here are some considerations regarding licensing requirements for cloud services:
 
 - Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment][MEM-1] and [Conditional Access][ENTRA-8] do
-  - Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM
+  - Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported non-Microsoft MDM
 - You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features
   - Some Microsoft Entra multifactor authentication features require a license. For more information, see [Features and licenses for Microsoft Entra multifactor authentication][ENTRA-9].
 - Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature

windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md

@@ -36,7 +36,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
 > [!div class="checklist"]
 > Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 >
-> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a non-Microsoft certificate)
 > - Confirm you added the AD FS service account to the KeyAdmins group
 > - Confirm you enabled the Device Registration service
 

windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md

@@ -21,7 +21,7 @@ Before you continue with the deployment, validate your deployment progress by re
 
 > [!div class="checklist"]
 >
-> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a non-Microsoft certificate)
 > - Confirm you added the AD FS service account to the KeyAdmins group
 > - Confirm you enabled the Device Registration service
 

windows/security/identity-protection/hello-for-business/faq.yml

@@ -110,7 +110,7 @@ sections:
     questions:
       - question: Can Windows Hello for Business work in air-gapped environments?
         answer: |
-          Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
+          Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a non-Microsoft MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
       - question: How many users can enroll for Windows Hello for Business on a single Windows device?
         answer: |
           The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign-in to many devices (for example, a support technician), it's recommended the use of FIDO2 security keys.
@@ -120,12 +120,12 @@ sections:
       - question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
         answer: |
           Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
-      - question: Can I use third-party MFA providers with Windows Hello for Business?
+      - question: Can I use non-Microsoft MFA providers with Windows Hello for Business?
         answer: |
-          Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
+          Yes, if you're using federated hybrid deployment, you can use any non-Microsoft that provides an AD FS MFA adapter. A list of non-Microsoft MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
-      - question: Does Windows Hello for Business work with third-party federation servers?
+      - question: Does Windows Hello for Business work with non-Microsoft federation servers?
         answer: |
-          Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.<br><br>
+          Windows Hello for Business works with any non-Microsoft federation servers that support the protocols used during the provisioning experience.<br><br>
 
           | Protocol | Description |
           | :--- | :--- |

windows/security/identity-protection/hello-for-business/hello-deployment-issues.md

@@ -17,7 +17,7 @@ PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to
 
 The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
 
-In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
+In federated environments, authentication may be configured to route to AD FS or a non-Microsoft identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
 
 If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the message *We can't open that page right now*.
 
@@ -49,18 +49,18 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
 
 To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
 
-## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
+## Microsoft Entra joined device access to on-premises resources using key trust and non-Microsoft Certificate Authority (CA)
 
 Applies to:
 
 - Microsoft Entra joined key trust deployments
-- Third-party certificate authority (CA) issuing domain controller certificates
+- Non-Microsoft certificate authority (CA) issuing domain controller certificates
 
-Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a non-Microsoft CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a non-Microsoft CA to issue domain controller certificates.
 
-For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
+For more information, read [Guidelines for enabling smart card sign in with non-Microsoft certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
 
-### Identify on-premises resource access issues with third party CAs
+### Identify on-premises resource access issues with non-Microsoft CAs
 
 The issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client fails to place a `TGS_REQ` request when a user attempts to access a resource. On the client, it can be observed in the Kerberos operation event log under `Application and Services/Microsoft/Windows/Security-Kerberos/Operational`. The logs are disabled by default. The failure event for this case includes the following information:
 
@@ -80,7 +80,7 @@ Expected Domain Name: ad.contoso.com
 Error Code: 0xC000006D
 ```
 
-### Resolve on-premises resource access issue with third party CAs
+### Resolve on-premises resource access issue with non-Microsoft CAs
 
 To resolve the issue, domain controller certificates must be updated so that the certificate subject contains the directory path of the server object (distinguished name).
 Example Subject: `CN=DC1,OU=Domain Controllers,DC=ad,DC=contoso,DC=com`

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -71,7 +71,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x80072F8F  | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.|
 | 0x80090010  | NTE_PERM |
 | 0x80090020  | NTE_FAIL |
-| 0x80090027  | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
+| 0x80090027  | Caller provided a wrong parameter. If non-Microsoft code receives this error, they must change their code. |
 | 0x8009002D  | NTE_INTERNAL_ERROR |
 | 0x801C0001  | ADRS server response is not in a valid format. |
 | 0x801C0002  | Server failed to authenticate the user. |

windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md

@@ -70,7 +70,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 | Phase | Description |
 |:-|:-|
-| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data.  This is the user key (ukpub/ukpriv). |
 | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID and a key receipt to the application, which represents the end of user key registration. |
 | D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
@@ -87,7 +87,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Microsoft Entra multifactor authentication server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Microsoft Entra multifactor authentication server (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 
@@ -97,7 +97,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Microsoft Entra multifactor authentication server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Microsoft Entra multifactor authentication server (or a non-Microsoft MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 |D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|

windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md

@@ -11,7 +11,7 @@ ms.topic: include
 - If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user
 - If you don't configure this policy setting, users can provision Windows Hello for Business
 
-Select the option *Don't start Windows Hello provisioning after sign-in* when you use a third-party solution to provision Windows Hello for Business:
+Select the option *Don't start Windows Hello provisioning after sign-in* when you use a non-Microsoft solution to provision Windows Hello for Business:
 
 - If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
 - If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in

windows/security/identity-protection/hello-for-business/multifactor-unlock.md

@@ -45,7 +45,7 @@ Supported credential providers include:
 |Trusted Signal<br>(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`|
 
 > [!NOTE]
-> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
+> Multifactor unlock does not support non-Microsoft credential providers or credential providers not listed in the above table.
 
 The default credential providers for the **First unlock factor credential provider** include:
 
@@ -382,7 +382,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 ---
 
 >[!IMPORTANT]
->You should remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
+>You should remove all non-Microsoft credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
 
 ## User experience
 

windows/security/identity-protection/hello-for-business/pin-reset.md

@@ -179,7 +179,7 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
 **Applies to:** Microsoft Entra joined devices
 
 PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
-If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
+If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
 

windows/security/identity-protection/hello-for-business/rdp-sign-in.md

@@ -197,9 +197,9 @@ Here are the steps to manually request a certificate using an Active Directory C
 
 ---
 
-## Use third-party certification authorities
+## Use non-Microsoft certification authorities
 
-If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
+If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use non-Microsoft certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
 
 As an alternative to using SCEP, or if none of the previously covered solutions work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
 

windows/security/identity-protection/hello-for-business/toc.yml

@@ -15,7 +15,7 @@ items:
   href: configure.md
 - name: Deployment guides
   href: deploy/toc.yml
-- name: How-to-guides
+- name: How-to guides
   items:
   - name: Configure PIN reset
     href: pin-reset.md

windows/security/identity-protection/passwordless-strategy/journey-step-2.md

@@ -54,7 +54,7 @@ Mitigating password usage with applications is one of the more challenging obsta
 
 The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Microsoft Entra identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
 
-Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with third-party software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
+Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with non-Microsoft software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication.
 
 ## Repeat until all user password usage is mitigated
 

windows/security/identity-protection/web-sign-in/index.md

@@ -134,7 +134,7 @@ For more information, see [Use a Temporary Access Pass][AAD-3].
 
 :::row:::
   :::column span="2":::
-  If the Microsoft Entra tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
+  If the Microsoft Entra tenant is federated with a non-Microsoft SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
   :::column-end:::
   :::column span="2":::
   > [!VIDEO https://learn-video.azurefd.net/vod/player?id=88ad0efb-9031-428c-a3cf-612c47810ecf]

windows/security/includes/sections/identity.md

@@ -22,7 +22,7 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
 | **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with non-Microsoft identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
 | **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
 | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
 | **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |

windows/security/operating-system-security/data-protection/bitlocker/faq.yml

@@ -61,7 +61,7 @@ sections:
 
           -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection
           -	Non-Microsoft application updates that modify the UEFI\BIOS configuration
-          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
+          -	Manual or non-Microsoft updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
           -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates)
           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it reports **Uses Secure Boot for integrity validation**
 

windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md

@@ -15,7 +15,7 @@ With this policy you can disable all notification for encryption, warning prompt
 This policy takes effect only if [Require device encryption](../configure.md?tabs=os#require-device-encryption) policy is enabled.
 
 > [!WARNING]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+> When you enable BitLocker on a device with non-Microsoft encryption, it may render the device unusable and will require reinstallation of Windows.
 
 The expected values for this policy are:
 

windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md

@@ -33,7 +33,7 @@ After you turn on this feature, your employees might experience reduced function
 
 - Sending a print job to a remote printer server that uses this feature and where the spooler process hasn't been excluded. In this situation, any fonts that aren't already available in the server's %windir%/Fonts folder won't be used.
 - Printing using fonts provided by the installed printer's graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
-- Using first or third-party apps that use memory-based fonts.
+- Using first or non-Microsoft apps that use memory-based fonts.
 - Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
 - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
 

windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md

@@ -28,7 +28,7 @@ Tunneling protocols:
 
 ## Universal Windows Platform VPN plug-in
 
-Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
+Using the UWP platform, non-Microsoft VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
 
 There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
 
@@ -41,7 +41,7 @@ The following image shows connection options in a VPN Profile configuration poli
 > [!div class="mx-imgBorder"]
 > ![Available connection types.](images/vpn-connection-intune.png)
 
-In Intune, you can also include custom XML for third-party plug-in profiles:
+In Intune, you can also include custom XML for non-Microsoft plug-in profiles:
 
 > [!div class="mx-imgBorder"]
 > ![Custom XML.](images/vpn-custom-xml-intune.png)

windows/security/operating-system-security/network-security/vpn/vpn-security-features.md

@@ -9,7 +9,7 @@ ms.topic: concept-article
 
 ## Hyper-V based containers and VPN
 
-Windows supports different kinds of Hyper-V based containers, like Microsoft Defender Application Guard and Windows Sandbox. When you use a third party VPN solution, the Hyper-V based containers may not be able to seamlessly connect to the internet, and configuration changes may be needed to resolve connectivity issues.
+Windows supports different kinds of Hyper-V based containers, like Microsoft Defender Application Guard and Windows Sandbox. When you use a non-Microsoft VPN solution, the Hyper-V based containers may not be able to seamlessly connect to the internet, and configuration changes may be needed to resolve connectivity issues.
 
 For example, read about the workaround for Cisco AnyConnect VPN: [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f).
 

windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md

@@ -61,7 +61,7 @@ Disabling Windows Firewall can also cause problems, including:
 - Activation of Windows via phone fails
 - Application or OS incompatibilities that depend on Windows Firewall
 
-Microsoft recommends disabling Windows Firewall only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
+Microsoft recommends disabling Windows Firewall only when installing a non-Microsoft firewall, and resetting Windows Firewall back to defaults when the non-Microsoft software is disabled or removed.
 If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
 Stopping the Windows Firewall service isn't supported by Microsoft.
 Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.

windows/security/operating-system-security/network-security/windows-firewall/rules.md

@@ -44,7 +44,7 @@ When first installed, network applications and services issue a *listen call* sp
 In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
 
 > [!NOTE]
-> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
+> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from non-Microsoft software should be determined by trusted app developers, the user, or the admin on behalf of the user.
 
 ### WDAC tagging policies
 

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -611,9 +611,9 @@ Finally, resources can be protected by denying access to endpoints that are unab
 
 Windows has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows-based devices without requiring a separate agent.
 
-### Third-party MDM server support
+### Non-Microsoft MDM server support
 
-Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+Non-Microsoft MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 > [!NOTE]
 > MDM servers do not need to create or download a client to manage Windows. For more information, see [Mobile device management](/windows/client-management/mdm/).

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -7,7 +7,7 @@ ms.topic: article
 
 # Firewall and network protection
 
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other non-Microsoft firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
 
 This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.