Fix tracker

2025-05-12 05:17:22 +00:00 · 2023-04-21 16:00:21 -04:00 · 2023-04-21 16:00:21 -04:00 · 04e13ecb77
commit 04e13ecb77
parent 57f4d3729b
17 changed files with 87 additions and 89 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -20826,4 +20826,4 @@
      "redirect_document_id": false
    }
  ]
-}
+}
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@ -67,7 +67,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Us
    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
-    ![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
+    [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
--- a/windows/client-management/client-tools/images/copy-to.png
+++ b/windows/client-management/client-tools/images/copy-to.png
--- a/windows/client-management/client-tools/images/slmgr-dlv.png
+++ b/windows/client-management/client-tools/images/slmgr-dlv.png
--- a/windows/client-management/client-tools/images/winver.png
+++ b/windows/client-management/client-tools/images/winver.png
--- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
@ -4,7 +4,7 @@ description: Find out how to manage Device Installation Restrictions with Group
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.date: 09/14/2021
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@ -62,7 +62,7 @@ You can ensure that users install only those devices that your technical support
 ## Scenario Overview
-The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
+The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
 Group Policy guides:
@ -83,7 +83,7 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen
 ### Scenario #4: Prevent installation of a specific USB device
-This scenario, although similar to scenario #2, brings another layer of complexity - how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
+This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
 ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
@ -95,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss
 ### Device Installation in Windows
-A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
+A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
 When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
@ -260,7 +260,7 @@ To find device identification strings using Device Manager
    !['Details' tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the 'Details' tab to look for the device identifiers_
-1. From the 'Value' window, copy the most detailed Hardware ID - we'll use this value in the policies.
+1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies.
    ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
@ -351,25 +351,25 @@ Creating the policy to prevent all printers from being installed:
 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
-1. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
+1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
    ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 1. Click 'OK'.
-1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
-1. Optional - if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
+1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
 > [!IMPORTANT]
 > Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
 ### Testing the scenario
-1. If you haven't completed step #9 - follow these steps:
+1. If you haven't completed step #9, follow these steps:
   1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
-   1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
+   1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app.
   1. You shouldn't be able to reinstall the printer.
 1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
@ -390,17 +390,17 @@ Setting up the environment for the scenario with the following steps:
 Getting the right device identifier to prevent it from being installed:
-1. Get your printer's Hardware ID - in this example we'll use the identifier we found previously
+1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously.
    ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
-1. Write down the device ID (in this case Hardware ID) - WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
+1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers
 Creating the policy to prevent a single printer from being installed:
-1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
+1. Open Group Policy Object Editor.
-1. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
@ -408,7 +408,7 @@ Creating the policy to prevent a single printer from being installed:
 1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
-1. Enter the printer device ID you found above - WSDPRINT\CanonMX920_seriesC1A0
+1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`.
    ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
@ -416,7 +416,7 @@ Creating the policy to prevent a single printer from being installed:
 1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
-1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'.
+1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'.
 ###	Testing the scenario
@ -426,7 +426,7 @@ If you haven't completed step #8, follow these steps:
 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
-1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
+1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app.
 1. You shouldn't be able to reinstall the printer.
@ -457,7 +457,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-1. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
@ -477,11 +477,11 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
 1. To complete the coverage of all future and existing printers - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
-1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
    ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
-    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
+    [![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)<br/>_Apply layered order of evaluation policy_
 1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
@ -522,7 +522,7 @@ Getting the right device identifier to prevent it from being installed and its l
 1. Open Device Manager
 1. Find the USB thumb-drive and select it.
- 
+
    ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
 1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
@ -531,20 +531,20 @@ Getting the right device identifier to prevent it from being installed and its l
    > [!NOTE]
    > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
- 
+
    ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
 1. Double-click the USB thumb-drive and move to the 'Details' tab.
 1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
+
    ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
 Creating the policy to prevent a single USB thumb-drive from being installed:
 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-1. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
@ -553,7 +553,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
 1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
 1. Enter the USB thumb-drive device ID you found above - USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
+
    ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
 1. Click 'OK'.
@ -608,7 +608,7 @@ As mentioned in scenario #4, it's not enough to enable only a single hardware ID
 - "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
 - "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
 - "Generic USB Hub" -> USB\USB20_HUB
- 
+
 ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
 These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
@ -628,7 +628,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
 1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
-1. Navigate to the Device Installation Restriction page: 
+1. Navigate to the Device Installation Restriction page:
    > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
@ -641,7 +641,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
 1. Enter both USB classes GUID you found above with the curly braces:
    > {36fc9e60-c465-11cf-8056-444553540000}/
-    > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} 
+    > {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
 1. Click 'OK'.
--- a/windows/client-management/client-tools/windows-version-search.md
+++ b/windows/client-management/client-tools/windows-version-search.md
@ -26,7 +26,7 @@ To determine if your device is enrolled in the Long-Term Servicing Channel or th
 Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information.
-![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png)
+:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10.":::
 ## Using Keyword Search
@ -34,11 +34,11 @@ You can type the following in the search bar and press **ENTER** to see version
 - **"winver"**:
-    ![screenshot of the About Windows display text.](images/winver.png)
+    :::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text.":::
 - **"msinfo"** or **"msinfo32"** to open **System Information**:
-    ![screenshot of the System Information display text.](images/msinfo32.png)
+    :::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text.":::
 > [!TIP]
 > You can also use `winver` or `msinfo32` commands at the command prompt.
@ -47,8 +47,8 @@ You can type the following in the search bar and press **ENTER** to see version
 - At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER**
-    ![screenshot of system information display text.](images/refcmd.png)
+    :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text.":::
 - At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
-    ![screenshot of software licensing manager.](images/slmgr_dlv.png)
+    :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager.":::
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@ -41,7 +41,7 @@ This article provides independent software vendors (ISV) with the information th
 The following diagram provides a conceptual overview of how this works:
-![mobile device update management.](images/mdm-update-sync.png)
+:::image type="content" source="images/mdm-update-sync.png" alt-text="mobile device update management.":::
 The diagram can be roughly divided into three areas:
@ -69,7 +69,7 @@ Some important highlights:
 - For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
 > [!NOTE]
-> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn't affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
+> Over time, Microsoft Update modifies metadata for a given update, for example, by updating descriptive information, fixing bugs in applicability rules, making localization changes, and so on. Each time a change occurs that doesn't affect the update itself, a new update revision is created.  An UpdateID (GUID) and a RevisionNumber (int) compounds to comprise an identity key for an update revision. The MDM doesn't present an update revision to IT. Instead, for each UpdateID (GUID) the MDM keeps the metadata for the later revision of that update, which is the one with the highest revision number.
 ### Examples of update metadata XML structure and element descriptions
@ -77,15 +77,15 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
 - **UpdateID** - The unique identifier for an update
 - **RevisionNumber** - Revision number for the update in case the update was modified.
- **CreationDate** - the date on which this update was created.
+- **CreationDate** - The date on which this update was created.
 - **UpdateType** - The type of update, which could include the following:
-  - **Detectoid** - if this update identity represents a compatibility logic
+  - **Detectoid** - If this update identity represents a compatibility logic
  - **Category** - This element could represent either of the following:
    - A Product category the update belongs to. For example, Windows, MS office, and so on.
    - The classification the update belongs to. For example, drivers, security, and so on.
  - **Software** - If the update is a software update.
-  - **Driver** - if the update is a driver update.
+  - **Driver** - If the update is a driver update.
- **LocalizedProperties** - represents the language the update is available in, title and description of the update. It has the following fields:
+- **LocalizedProperties** - Represents the language the update is available in, title and description of the update. It has the following fields:
  - **Language** - The language code identifier (LCID). For example, en or es.
  - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)"
  - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed."
@ -106,10 +106,9 @@ The following procedure describes a basic algorithm for a metadata sync service:
 1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
 1. Sync periodically (we recommend once every 2 hours - no more than once/hour).
   1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
-   1. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and:
+   1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
-     - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
+        - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
-       - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
+        - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
       - Remove updates from the "needed update IDs to fault in" list once they've been brought in.
 These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed.
@ -118,15 +117,15 @@ These steps get information about the set of Microsoft Updates that IT needs to
 An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information:
 - Configure automatic update policies to ensure devices stay up to date.
- Get device compliance information (the list of updates that are needed but not yet installed)
+- Get device compliance information (the list of updates that are needed but not yet installed).
 - Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs
+- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs.
 The following list describes a suggested model for applying updates.
 1. Have a "Test Group" and an "All Group".
-1. In the Test group, just let all updates flow.
+1. In the Test group, let all updates flow.
-1. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
+1. In the All Group, set the Quality Update deferral for seven days, and then, Quality Updates are auto approved after seven days. Quality Update deferrals exclude Definition Updates, so Definition Updates automatically are approved when they're available. Match the schedule for Definition Updates with the Quality Update deferral schedule by setting Update/DeferQualityUpdatesPeriodInDays to seven. Let updates flow after seven days or by pausing if any issues occur.
 Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md).
@ -134,9 +133,9 @@ Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md).
 The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
-![mdm update management screenshot.](images/deviceupdatescreenshot1.png)
+:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot.":::
-![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
+:::image type="content" source="images/deviceupdatescreenshot2.png" alt-text="mdm update management metadata screenshot.":::
 ### SyncML example
@ -189,19 +188,19 @@ Set auto update to notify and defer.
 The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)
+:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3.":::
-![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)
+:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4":::
-![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)
+:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5":::
-![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)
+:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6":::
-![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)
+:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7":::
-![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)
+:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8":::
-![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
+:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9":::
 ## Related articles
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@ -62,13 +62,19 @@
        "jborsecnik",
        "tiburd",
        "garycentric",
-        "beccarobins"
+        "beccarobins",
        "american-dipper",
        "angelamotherofdragons",
        "v-stsavell",
        "stacyrch140"
      ],
-      "searchScope": ["Windows 10"]
+      "searchScope": [
        "Windows 10"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "win-client-management",
    "markdownEngineName": "markdig"
  }
-}
+}
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@ -28,9 +28,6 @@ Summary of steps to enable a policy:
 See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune.
 <!-- >[!TIP] -->
 <!-- >Intune has added a number of ADMX administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) -->
 ## Enable a policy
 > [!NOTE]
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -107,7 +107,7 @@ When a group policy refresh occurs on the client, a task is created and schedule
 If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
-![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
+:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
 > [!TIP]
 > You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
@ -116,7 +116,7 @@ If two-factor authentication is required, you'll be prompted to complete the pro
 To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information.
-![Work School Settings.](images/autoenrollment-settings-work-school.png)
+:::image type="content" source="images/autoenrollment-settings-work-school.png" alt-text="Screenshot of Work School Settings.":::
 > [!NOTE]
 > If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app) and see [Diagnose MDM enrollment](./mdm-diagnose-enrollment.md).
--- a/windows/client-management/images/azure-ad-device-list.png
+++ b/windows/client-management/images/azure-ad-device-list.png
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@ -19,7 +19,7 @@ appliesto:
 Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization.
-Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows much faster.
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster.
 This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
--- a/windows/client-management/mdm-diagnose-enrollment.md
+++ b/windows/client-management/mdm-diagnose-enrollment.md
@ -24,7 +24,7 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
 1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses).
-   :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
+   :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
@ -49,21 +49,19 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
    This information can also be found on the Azure AD device list.
    ![Azure AD device list.](images/azure-ad-device-list.png)
 1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`.
    ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
 1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
-   :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
+   :::image type="content" alt-text="Screenshot of Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
 1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.
 1. Verify that Microsoft Intune allows enrollment of Windows devices.
-   :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
+   :::image type="content" alt-text="Screenshot of Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
 ## Troubleshoot group policy enrollment
@ -78,13 +76,13 @@ Investigate the logs if you have issues even after performing all the verificati
 1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
-   :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png"  lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
+   :::image type="content" alt-text="Screenshot of Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png"  lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
 If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:
 - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:
-   :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
+   :::image type="content" alt-text="Screenshot of Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
   To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors).
@ -92,31 +90,31 @@ If you can't find event ID 75 in the logs, it indicates that the auto-enrollment
   The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
-   :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
+   :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
   > [!NOTE]
   > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
   This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.
-   :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
+   :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
   When the task is completed, a new event ID 102 is logged.
-   :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
+   :::image type="content" alt-text="Screenshot of Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
   The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.
   If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
   One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
-   :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
+   :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
   By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016.
   A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
-   :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
+   :::image type="content" alt-text="Screenshot showing manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
 ## Error codes
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@ -32,7 +32,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work.
 The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore".
-![ssl settings.](images/ssl-settings.png)
+:::image type="content" source="images/ssl-settings.png" alt-text="Screenshot of SSL settings in IIS.":::
 ## MDM enrollment fails on the Windows device when traffic is going through proxy
--- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
@ -1,7 +1,7 @@
 ---
 title: Using PowerShell scripting with the WMI Bridge Provider
 description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@ -44,7 +44,7 @@ The following script describes how to create, enumerate, query, modify, and dele
 $namespaceName = "root\cimv2\mdm\dmmap"
 $className = "MDM_Policy_Config01_WiFi02"
-# Create a new instance for MDM_Policy_Config01_WiFi02 
+# Create a new instance for MDM_Policy_Config01_WiFi02
 New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="WiFi";AllowInternetSharing=1;AllowAutoConnectToWiFiSenseHotspots=0;WLANScanMode=100}
 # Enumerate all instances available for MDM_Policy_Config01_WiFi02
@ -86,15 +86,13 @@ class MDM_Policy_User_Config01_Authentication02
 };
 ```
-> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt.
+> [!NOTE]
-
+> If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt.
 If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets.
-> **Note**   All commands must executed under local system.
+> [!NOTE]
-
+> All commands must executed under local system.
 A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001.
--- a/windows/client-management/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md
@ -20,7 +20,7 @@ appliesto:
 You can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
-NOTE: Starting from the following Windows versions Replace command is supported:
+Starting from the following Windows versions `Replace` command is supported:
 - Windows 10, version 1903 with KB4512941 and KB4517211 installed
 - Windows 10, version 1809 with KB4512534 and KB installed