diff --git a/.github/workflows/Stale.yml b/.github/workflows/Stale.yml
new file mode 100644
index 0000000000..101ee8ba9c
--- /dev/null
+++ b/.github/workflows/Stale.yml
@@ -0,0 +1,19 @@
+name: (Scheduled) Mark stale pull requests
+
+permissions:
+  issues: write
+  pull-requests: write
+
+on:
+  schedule:
+  - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+jobs:
+  stale:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
+    with:
+      RunDebug: true
+      RepoVisibility: ${{ github.repository_visibility }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 07c68d9f04..1cf28badea 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -1,7 +1,7 @@
 ---
 title: CloudDesktop DDF file
 description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
         <MSFT:CspVersion>2.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -139,7 +139,7 @@ The following XML file contains the device description framework (DDF) for the C
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.22621.3374</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 198570987e..9841e9f442 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,7 @@
 ---
 title: Defender CSP
 description: Learn more about the Defender CSP.
-ms.date: 06/21/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1289,7 +1289,7 @@ Define data duplication remote location for Device Control. When configuring thi
 
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
 <!-- Description-Source-DDF -->
-Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
+Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
 
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@@ -1304,7 +1304,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[7-60]` |
-| Default Value  | 25 |
+| Default Value  | 30 |
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
 
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index f286ba947c..2055d5bdf0 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,7 @@
 ---
 title: Defender DDF file
 description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 06/28/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2373,8 +2373,8 @@ The following XML file contains the device description framework (DDF) for the D
             <Get />
             <Replace />
           </AccessType>
-          <DefaultValue>25</DefaultValue>
-          <Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
+          <DefaultValue>30</DefaultValue>
+          <Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 30 days when enabled.</Description>
           <DFFormat>
             <int />
           </DFFormat>
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index e269946643..4d6dc724a9 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -1,7 +1,7 @@
 ---
 title: Firewall CSP
 description: Learn more about the Firewall CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2221,7 +2221,7 @@ Specifies the friendly name of the firewall rule.
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
+Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Description-End -->
 
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-PolicyAppId-Editable-Begin -->
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 0e5e7d5b2d..76508deef5 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,7 +1,7 @@
 ---
 title: LAPS CSP
 description: Learn more about the LAPS CSP.
-ms.date: 06/21/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 06/21/2024
 <!-- LAPS-Begin -->
 # LAPS CSP
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- LAPS-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@@ -432,7 +430,7 @@ If the specified user or group account is invalid the device will fallback to us
 <!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
 
 <!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
@@ -488,7 +486,7 @@ If not specified, this setting defaults to False.
 <!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
 
 <!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
@@ -543,7 +541,7 @@ If not specified, this setting defaults to False.
 <!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
 
 <!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
@@ -587,7 +585,7 @@ If not specified, this setting will default to "WLapsAdmin".
 <!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
 
 <!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
@@ -643,7 +641,7 @@ If not specified, this setting defaults to False.
 <!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
 
 <!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
@@ -759,7 +757,7 @@ If not specified, this setting will default to 0.
 <!-- Device-Policies-PassphraseLength-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Device-Policies-PassphraseLength-Applicability-End -->
 
 <!-- Device-Policies-PassphraseLength-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index 5d06e470a6..d32a646434 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,7 +1,7 @@
 ---
 title: LAPS DDF file
 description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-ms.date: 06/28/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -327,7 +327,7 @@ This setting has a maximum allowed value of 10 words.</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="Range">
@@ -690,7 +690,7 @@ If not specified, this setting defaults to False.</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="ENUM">
@@ -736,7 +736,7 @@ If not specified, this setting will default to 1.</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="ENUM">
@@ -791,7 +791,7 @@ If not specified, this setting will default to "WLapsAdmin".</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:DependencyBehavior>
@@ -839,7 +839,7 @@ If not specified, this setting defaults to False.</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="ENUM">
@@ -897,7 +897,7 @@ If not specified, this setting defaults to False.</Description>
             <MIME />
           </DFType>
           <MSFT:Applicability>
-            <MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.1</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="ENUM">
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index 052f60bfcd..6cf4a75b50 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,7 +1,7 @@
 ---
 title: Personalization DDF file
 description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index c0c0fd2588..826ef1ac3b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -137,7 +137,6 @@ ms.date: 02/03/2023
 - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) <sup>11</sup>
 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) <sup>11</sup>
 - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) <sup>11</sup>
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) <sup>11</sup>
 - [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
 - [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
 - [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)
diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md
index 0ad7b632c3..2c62565783 100644
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 09/11/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -17,6 +17,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing)
 - [TurnOffAPISamping](policy-csp-appdeviceinventory.md#turnoffapisamping)
 - [TurnOffApplicationFootprint](policy-csp-appdeviceinventory.md#turnoffapplicationfootprint)
+- [TurnOffWin32AppBackup](policy-csp-appdeviceinventory.md#turnoffwin32appbackup)
 
 ## ClientCertificateInstall CSP
 
@@ -28,15 +29,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
 - [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
 
-## Cryptography
-
-- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
-- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
-- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
-- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
-- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
-- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
-
 ## DeclaredConfiguration CSP
 
 - [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
@@ -47,23 +39,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
 - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
 
-## DesktopAppInstaller
-
-- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md#enablewindowspackagemanagercommandlineinterfaces)
-- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md#enablewindowspackagemanagerconfiguration)
-
-## DeviceLock
-
-- [MaximumPasswordAge](policy-csp-devicelock.md#maximumpasswordage)
-- [ClearTextPassword](policy-csp-devicelock.md#cleartextpassword)
-- [PasswordComplexity](policy-csp-devicelock.md#passwordcomplexity)
-- [PasswordHistorySize](policy-csp-devicelock.md#passwordhistorysize)
-- [AccountLockoutPolicy](policy-csp-devicelock.md#accountlockoutpolicy)
-- [AllowAdministratorLockout](policy-csp-devicelock.md#allowadministratorlockout)
-- [MinimumPasswordLength](policy-csp-devicelock.md#minimumpasswordlength)
-- [MinimumPasswordLengthAudit](policy-csp-devicelock.md#minimumpasswordlengthaudit)
-- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md#relaxminimumpasswordlengthlimits)
-
 ## DevicePreparation CSP
 
 - [PageEnabled](devicepreparation-csp.md#pageenabled)
@@ -84,12 +59,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence)
 - [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod)
 
-## Experience
-
-- [AllowScreenRecorder](policy-csp-experience.md#allowscreenrecorder)
-- [EnableOrganizationalMessages](policy-csp-experience.md#enableorganizationalmessages)
-- [DisableTextTranslation](policy-csp-experience.md#disabletexttranslation)
-
 ## FileSystem
 
 - [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive)
@@ -99,13 +68,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 
 - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
 
-## HumanPresence
-
-- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md#forcedisablewakewhenbatterysaveron)
-- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowwakewhenexternaldisplayconnected)
-- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowlockwhenexternaldisplayconnected)
-- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md#forceallowdimwhenexternaldisplayconnected)
-
 ## InternetExplorer
 
 - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@@ -121,49 +83,8 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
 - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
 
-## LAPS CSP
-
-- [PassphraseLength](laps-csp.md#policiespassphraselength)
-- [AutomaticAccountManagementEnabled](laps-csp.md#policiesautomaticaccountmanagementenabled)
-- [AutomaticAccountManagementTarget](laps-csp.md#policiesautomaticaccountmanagementtarget)
-- [AutomaticAccountManagementNameOrPrefix](laps-csp.md#policiesautomaticaccountmanagementnameorprefix)
-- [AutomaticAccountManagementEnableAccount](laps-csp.md#policiesautomaticaccountmanagementenableaccount)
-- [AutomaticAccountManagementRandomizeName](laps-csp.md#policiesautomaticaccountmanagementrandomizename)
-
 ## LocalPoliciesSecurityOptions
 
-- [Audit_AuditTheUseOfBackupAndRestoreprivilege](policy-csp-localpoliciessecurityoptions.md#audit_audittheuseofbackupandrestoreprivilege)
-- [Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings](policy-csp-localpoliciessecurityoptions.md#audit_forceauditpolicysubcategorysettingstooverrideauditpolicycategorysettings)
-- [Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits](policy-csp-localpoliciessecurityoptions.md#audit_shutdownsystemimmediatelyifunabletologsecurityaudits)
-- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md#devices_restrictfloppyaccesstolocallyloggedonuseronly)
-- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptorsignsecurechanneldataalways)
-- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallyencryptsecurechanneldatawhenpossible)
-- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md#domainmember_digitallysignsecurechanneldatawhenpossible)
-- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md#domainmember_disablemachineaccountpasswordchanges)
-- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md#domainmember_maximummachineaccountpasswordage)
-- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md#domainmember_requirestrongsessionkey)
-- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md#interactivelogon_machineaccountlockoutthreshold)
-- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
-- [InteractiveLogon_PromptUserToChangePasswordBeforeExpiration](policy-csp-localpoliciessecurityoptions.md#interactivelogon_promptusertochangepasswordbeforeexpiration)
-- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_amountofidletimerequiredbeforesuspendingsession)
-- [MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_disconnectclientswhenlogonhoursexpire)
-- [MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel](policy-csp-localpoliciessecurityoptions.md#microsoftnetworkserver_serverspntargetnamevalidationlevel)
-- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md#networkaccess_allowanonymoussidornametranslation)
-- [NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication](policy-csp-localpoliciessecurityoptions.md#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication)
-- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md#networkaccess_leteveryonepermissionsapplytoanonymoususers)
-- [NetworkAccess_NamedPipesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_namedpipesthatcanbeaccessedanonymously)
-- [NetworkAccess_RemotelyAccessibleRegistryPaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypaths)
-- [NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths](policy-csp-localpoliciessecurityoptions.md#networkaccess_remotelyaccessibleregistrypathsandsubpaths)
-- [NetworkAccess_SharesThatCanBeAccessedAnonymously](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharesthatcanbeaccessedanonymously)
-- [NetworkAccess_SharingAndSecurityModelForLocalAccounts](policy-csp-localpoliciessecurityoptions.md#networkaccess_sharingandsecuritymodelforlocalaccounts)
-- [NetworkSecurity_AllowLocalSystemNULLSessionFallback](policy-csp-localpoliciessecurityoptions.md#networksecurity_allowlocalsystemnullsessionfallback)
-- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md#networksecurity_forcelogoffwhenlogonhoursexpire)
-- [NetworkSecurity_LDAPClientSigningRequirements](policy-csp-localpoliciessecurityoptions.md#networksecurity_ldapclientsigningrequirements)
-- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowautomaticadministrativelogon)
-- [RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders](policy-csp-localpoliciessecurityoptions.md#recoveryconsole_allowfloppycopyandaccesstoalldrivesandallfolders)
-- [SystemCryptography_ForceStrongKeyProtection](policy-csp-localpoliciessecurityoptions.md#systemcryptography_forcestrongkeyprotection)
-- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md#systemobjects_requirecaseinsensitivityfornonwindowssubsystems)
-- [SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects](policy-csp-localpoliciessecurityoptions.md#systemobjects_strengthendefaultpermissionsofinternalsystemobjects)
 - [UserAccountControl_BehaviorOfTheElevationPromptForAdministratorProtection](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_behavioroftheelevationpromptforadministratorprotection)
 - [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md#useraccountcontrol_typeofadminapprovalmode)
 
@@ -174,23 +95,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
 - [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
 
-## MSSecurityGuide
-
-- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md#netbtnodetypeconfiguration)
-
-## NetworkListManager
-
-- [AllNetworks_NetworkIcon](policy-csp-networklistmanager.md#allnetworks_networkicon)
-- [AllNetworks_NetworkLocation](policy-csp-networklistmanager.md#allnetworks_networklocation)
-- [AllNetworks_NetworkName](policy-csp-networklistmanager.md#allnetworks_networkname)
-- [IdentifyingNetworks_LocationType](policy-csp-networklistmanager.md#identifyingnetworks_locationtype)
-- [UnidentifiedNetworks_LocationType](policy-csp-networklistmanager.md#unidentifiednetworks_locationtype)
-- [UnidentifiedNetworks_UserPermissions](policy-csp-networklistmanager.md#unidentifiednetworks_userpermissions)
-
-## Notifications
-
-- [DisableAccountNotifications](policy-csp-notifications.md#disableaccountnotifications)
-
 ## PassportForWork CSP
 
 - [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -202,77 +106,15 @@ This article lists the policies that are applicable for Windows Insider Preview
 
 ## RemoteDesktopServices
 
-- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md#limitservertoclientclipboardredirection)
-- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md#limitclienttoserverclipboardredirection)
-- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md#disconnectonlocklegacyauthn)
-- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md#disconnectonlockmicrosoftidentityauthn)
 - [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
 
-## Search
-
-- [ConfigureSearchOnTaskbarMode](policy-csp-search.md#configuresearchontaskbarmode)
-
-## SettingsSync
-
-- [DisableAccessibilitySettingSync](policy-csp-settingssync.md#disableaccessibilitysettingsync)
-- [DisableLanguageSettingSync](policy-csp-settingssync.md#disablelanguagesettingsync)
-
-## Sudo
-
-- [EnableSudo](policy-csp-sudo.md#enablesudo)
-
 ## SurfaceHub CSP
 
 - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
 
-## System
-
-- [HideUnsupportedHardwareNotifications](policy-csp-system.md#hideunsupportedhardwarenotifications)
-
-## SystemServices
-
-- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md#configurecomputerbrowserservicestartupmode)
-- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md#configureiisadminservicestartupmode)
-- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md#configureinfraredmonitorservicestartupmode)
-- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md#configureinternetconnectionsharingservicestartupmode)
-- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md#configurelxssmanagerservicestartupmode)
-- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md#configuremicrosoftftpservicestartupmode)
-- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md#configureremoteprocedurecalllocatorservicestartupmode)
-- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md#configureroutingandremoteaccessservicestartupmode)
-- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md#configuresimpletcpipservicesstartupmode)
-- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md#configurespecialadministrationconsolehelperservicestartupmode)
-- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md#configuressdpdiscoveryservicestartupmode)
-- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md#configureupnpdevicehostservicestartupmode)
-- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md#configurewebmanagementservicestartupmode)
-- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md#configurewindowsmediaplayernetworksharingservicestartupmode)
-- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md#configurewindowsmobilehotspotservicestartupmode)
-- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md#configureworldwidewebpublishingservicestartupmode)
-
 ## Update
 
 - [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
-- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md#configuredeadlinenoautorebootforfeatureupdates)
-- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md#configuredeadlinenoautorebootforqualityupdates)
-- [AlwaysAutoRebootAtScheduledTimeMinutes](policy-csp-update.md#alwaysautorebootatscheduledtimeminutes)
-
-## UserRights
-
-- [BypassTraverseChecking](policy-csp-userrights.md#bypasstraversechecking)
-- [ReplaceProcessLevelToken](policy-csp-userrights.md#replaceprocessleveltoken)
-- [ChangeTimeZone](policy-csp-userrights.md#changetimezone)
-- [ShutDownTheSystem](policy-csp-userrights.md#shutdownthesystem)
-- [LogOnAsBatchJob](policy-csp-userrights.md#logonasbatchjob)
-- [ProfileSystemPerformance](policy-csp-userrights.md#profilesystemperformance)
-- [DenyLogOnAsBatchJob](policy-csp-userrights.md#denylogonasbatchjob)
-- [LogOnAsService](policy-csp-userrights.md#logonasservice)
-- [IncreaseProcessWorkingSet](policy-csp-userrights.md#increaseprocessworkingset)
-- [DenyLogOnAsService](policy-csp-userrights.md#denylogonasservice)
-- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md#adjustmemoryquotasforprocess)
-- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md#allowlogonthroughremotedesktop)
-
-## WebThreatDefense
-
-- [AutomaticDataCollection](policy-csp-webthreatdefense.md#automaticdatacollection)
 
 ## Wifi
 
@@ -281,7 +123,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 
 ## WindowsAI
 
-- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
+- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
 - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
 - [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
 
@@ -294,11 +136,6 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription)
 - [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription)
 
-## WindowsSandbox
-
-- [AllowMappedFolders](policy-csp-windowssandbox.md#allowmappedfolders)
-- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md#allowwritetomappedfolders)
-
 ## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 0fa200d984..1823ce5450 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,7 +1,7 @@
 ---
 title: Policy CSP
 description: Learn more about the Policy CSP.
-ms.date: 08/07/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1152,6 +1152,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 - [Settings](policy-csp-settings.md)
 - [SettingsSync](policy-csp-settingssync.md)
 - [SmartScreen](policy-csp-smartscreen.md)
+- [SpeakForMe](policy-csp-speakforme.md)
 - [Speech](policy-csp-speech.md)
 - [Start](policy-csp-start.md)
 - [Stickers](policy-csp-stickers.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 0cdd78d66b..3f48213786 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_AppxPackageManager Policy CSP
 description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,7 +32,7 @@ ms.date: 08/06/2024
 
 <!-- AllowDeploymentInSpecialProfiles-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
+This policy setting allows you to manage the deployment of packaged Microsoft Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:
 
 Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
 
@@ -42,9 +42,9 @@ Temporary user profiles, which are created when an error prevents the correct pr
 
 User profiles for the Guest account and members of the Guests group.
 
-- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
+- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of packaged Microsoft Store apps when using a special profile.
 
-- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
+- If you disable or don't configure this policy setting, Group Policy blocks deployment operations of packaged Microsoft Store apps when using a special profile.
 <!-- AllowDeploymentInSpecialProfiles-Description-End -->
 
 <!-- AllowDeploymentInSpecialProfiles-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index 540235107e..1cc79f97a0 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_AppXRuntime Policy CSP
 description: Learn more about the ADMX_AppXRuntime Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,11 +32,11 @@ ms.date: 08/06/2024
 
 <!-- AppxRuntimeApplicationContentUriRules-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
+This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer.
 
-- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
+- If you enable this policy setting, you can define additional Content URI Rules that all packaged Microsoft Store apps that use the enterpriseAuthentication capability on a computer can use.
 
-- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
+- If you disable or don't set this policy setting, packaged Microsoft Store apps will only use the static Content URI Rules.
 <!-- AppxRuntimeApplicationContentUriRules-Description-End -->
 
 <!-- AppxRuntimeApplicationContentUriRules-Editable-Begin -->
@@ -60,7 +60,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static
 | Name | Value |
 |:--|:--|
 | Name | AppxRuntimeApplicationContentUriRules |
-| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps |
+| Friendly Name | Turn on dynamic Content URI Rules for packaged Microsoft Store apps |
 | Location | Computer Configuration |
 | Path | Windows Components > App runtime |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications |
@@ -95,11 +95,11 @@ This policy setting lets you turn on Content URI Rules to supplement the static
 
 <!-- AppxRuntimeBlockFileElevation-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
+This policy setting lets you control whether packaged Microsoft Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a packaged Microsoft Store app might compromise the system by opening a file in the default desktop app for a file type.
 
-- If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
+- If you enable this policy setting, packaged Microsoft Store apps can't open files in the default desktop app for a file type; they can open files only in other packaged Microsoft Store apps.
 
-- If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
+- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open files in the default desktop app for a file type.
 <!-- AppxRuntimeBlockFileElevation-Description-End -->
 
 <!-- AppxRuntimeBlockFileElevation-Editable-Begin -->
@@ -219,14 +219,14 @@ This policy shouldn't be enabled unless recommended by Microsoft as a security r
 
 <!-- AppxRuntimeBlockProtocolElevation-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
+This policy setting lets you control whether packaged Microsoft Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than packaged Microsoft Store apps, there is a risk that a URI scheme launched by a packaged Microsoft Store app might compromise the system by launching a desktop app.
 
-- If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
+- If you enable this policy setting, packaged Microsoft Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other packaged Microsoft Store apps.
 
-- If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
+- If you disable or don't configure this policy setting, packaged Microsoft Store apps can open URIs in the default desktop app for a URI scheme.
 
 > [!NOTE]
-> Enabling this policy setting doesn't block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
+> Enabling this policy setting doesn't block packaged Microsoft Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
 <!-- AppxRuntimeBlockProtocolElevation-Description-End -->
 
 <!-- AppxRuntimeBlockProtocolElevation-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index af2f85b62d..fa0478440b 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_ControlPanelDisplay Policy CSP
 description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1351,7 +1351,7 @@ Specifies which theme file is applied to the computer the first time a user logs
 |:--|:--|
 | Name | CPL_Personalization_SetTheme |
 | Friendly Name | Load a specific theme |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
 | Path | Control Panel > Personalization |
 | Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
 | ADMX File Name | ControlPanelDisplay.admx |
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
index 94711a96ae..f3aa4eedc9 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_DeviceGuard Policy CSP
 description: Learn more about the ADMX_DeviceGuard Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -34,7 +34,7 @@ ms.date: 08/06/2024
 
 <!-- ConfigCIPolicy-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Deploy Windows Defender Application Control.
+Deploy App Control for Business.
 
 This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine.
 
@@ -69,7 +69,7 @@ If using a signed and protected policy then disabling this policy setting doesn'
 | Name | Value |
 |:--|:--|
 | Name | ConfigCIPolicy |
-| Friendly Name | Deploy Windows Defender Application Control |
+| Friendly Name | Deploy App Control for Business |
 | Location | Computer Configuration |
 | Path | System > Device Guard |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 2f447009b6..dc1ec2aa56 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_DnsClient Policy CSP
 description: Learn more about the ADMX_DnsClient Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -91,7 +91,7 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie
 
 <!-- DNS_AppendToMultiLabelName-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+Specifies that the DNS client may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
 
 A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot.
 
@@ -103,7 +103,7 @@ If attaching suffixes is allowed, and a DNS client with a primary domain suffix
 
 - If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
 
-- If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+- If you don't configure this policy setting, the DNS client will use its local settings to determine the query behavior for unqualified multi-label names.
 <!-- DNS_AppendToMultiLabelName-Description-End -->
 
 <!-- DNS_AppendToMultiLabelName-Editable-Begin -->
@@ -162,9 +162,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local
 
 To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
 
-- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by the DNS client.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied connection specific DNS suffix, if configured.
 <!-- DNS_Domain-Description-End -->
 
 <!-- DNS_Domain-Editable-Begin -->
@@ -234,7 +234,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
 
 For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
 
-If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
 
 For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
 
@@ -295,11 +295,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
 
 <!-- DNS_IdnEncoding-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
 
 - If this policy setting is enabled, IDNs aren't converted to Punycode.
 
-- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+- If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the DNS client is on non-domain networks with no WINS servers configured.
 <!-- DNS_IdnEncoding-Description-End -->
 
 <!-- DNS_IdnEncoding-Editable-Begin -->
@@ -413,13 +413,13 @@ Specifies whether the DNS client should convert internationalized domain names (
 
 <!-- DNS_NameServer-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+Defines the DNS servers to which the DNS client sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
 
 To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
 
-- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the list of DNS servers is applied to all network connections used by the DNS client.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied list of DNS servers, if configured.
 <!-- DNS_NameServer-Description-End -->
 
 <!-- DNS_NameServer-Editable-Begin -->
@@ -535,18 +535,18 @@ Specifies that responses from link local name resolution protocols received over
 
 <!-- DNS_PrimaryDnsSuffix-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+Specifies the primary DNS suffix used by the DNS client in DNS name registration and DNS name resolution.
 
 To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
 
 > [!IMPORTANT]
-> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+> In order for changes to this policy setting to be applied on the DNS client, you must restart Windows.
 
 - If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
 
 You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
 
-- If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client uses the local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
 <!-- DNS_PrimaryDnsSuffix-Description-End -->
 
 <!-- DNS_PrimaryDnsSuffix-Editable-Begin -->
@@ -600,18 +600,18 @@ You can use this policy setting to prevent users, including local administrators
 
 <!-- DNS_RegisterAdapterName-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
 
 By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
 
-- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
 
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
 
 > [!IMPORTANT]
-> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
 
-- If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client won't register any A and PTR resource records using a connection-specific DNS suffix.
 <!-- DNS_RegisterAdapterName-Description-End -->
 
 <!-- DNS_RegisterAdapterName-Editable-Begin -->
@@ -666,7 +666,7 @@ For example, with a computer name of mycomputer, a primary DNS suffix of microso
 
 <!-- DNS_RegisterReverseLookup-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies if DNS client computers will register PTR resource records.
+Specifies if the DNS client will register PTR resource records.
 
 By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
 
@@ -674,13 +674,13 @@ By default, DNS clients configured to perform dynamic DNS registration will atte
 
 To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
 
-Don't register: Computers won't attempt to register PTR resource records.
+Don't register: the DNS client won't attempt to register PTR resource records.
 
-Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
+Register: the DNS client will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
 
-Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+Register only if A record registration succeeds: the DNS client will attempt to register PTR resource records only if registration of the corresponding A records was successful.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use locally configured settings.
 <!-- DNS_RegisterReverseLookup-Description-End -->
 
 <!-- DNS_RegisterReverseLookup-Editable-Begin -->
@@ -734,11 +734,11 @@ Register only if A record registration succeeds: Computers will attempt to regis
 
 <!-- DNS_RegistrationEnabled-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+Specifies if DNS dynamic update is enabled. DNS clients configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
 
-- If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
+- If you enable this policy setting, or you don't configure this policy setting, the DNS client will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting mustn't be disabled.
 
-- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+- If you disable this policy setting, the DNS client may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
 <!-- DNS_RegistrationEnabled-Description-End -->
 
 <!-- DNS_RegistrationEnabled-Editable-Begin -->
@@ -795,7 +795,7 @@ Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic
 <!-- Description-Source-ADMX -->
 Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
 
-This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
+This policy setting is designed for DNS clients that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other DNS clients.
 
 During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
 
@@ -856,18 +856,18 @@ During dynamic update of resource records in a zone that doesn't use Secure Dyna
 
 <!-- DNS_RegistrationRefreshInterval-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies DNS clients performing dynamic DNS updates.
 
-Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+DNS clients configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
 
 > [!WARNING]
 > If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
 
 To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
 
-- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by DNS clients that receive this policy setting.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the local or DHCP supplied setting. By default, DNS clients configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
 <!-- DNS_RegistrationRefreshInterval-Description-End -->
 
 <!-- DNS_RegistrationRefreshInterval-Editable-Begin -->
@@ -921,13 +921,13 @@ To specify the registration refresh interval, click Enabled and then enter a val
 
 <!-- DNS_RegistrationTtl-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by the DNS client to which this policy setting is applied.
 
 To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
 
-- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by the DNS client.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
 <!-- DNS_RegistrationTtl-Description-End -->
 
 <!-- DNS_RegistrationTtl-Editable-Begin -->
@@ -985,7 +985,7 @@ Specifies the DNS suffixes to attach to an unqualified single-label name before
 
 An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com".
 
-Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
+DNS clients that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com".
 
 To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
 
@@ -1170,15 +1170,15 @@ Specifies the security level for dynamic DNS updates.
 
 To use this policy setting, click Enabled and then select one of the following values:
 
-Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+Unsecure followed by secure - the DNS client sends secure dynamic updates only when nonsecure dynamic updates are refused.
 
-Only unsecure - computers send only nonsecure dynamic updates.
+Only unsecure - the DNS client sends only nonsecure dynamic updates.
 
-Only secure - computers send only secure dynamic updates.
+Only secure - The DNS client sends only secure dynamic updates.
 
-- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+- If you enable this policy setting, DNS clients that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+- If you disable this policy setting, or if you don't configure this policy setting, DNS clients will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
 <!-- DNS_UpdateSecurityLevel-Description-End -->
 
 <!-- DNS_UpdateSecurityLevel-Editable-Begin -->
@@ -1232,13 +1232,13 @@ Only secure - computers send only secure dynamic updates.
 
 <!-- DNS_UpdateTopLevelDomainZones-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
+Specifies if the DNS client may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com".
 
 By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
 
-- If you enable this policy setting, computers send dynamic updates to any zone that's authoritative for the resource records that the computer needs to update, except the root zone.
+- If you enable this policy setting, the DNS client sends dynamic updates to any zone that's authoritative for the resource records that the DNS client needs to update, except the root zone.
 
-- If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+- If you disable this policy setting, or if you don't configure this policy setting, the DNS client doesn't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the DNS client needs to update.
 <!-- DNS_UpdateTopLevelDomainZones-Description-End -->
 
 <!-- DNS_UpdateTopLevelDomainZones-Editable-Begin -->
@@ -1309,7 +1309,7 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
 
 For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
 
-If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the DNS client (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
 
 For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it's under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it's under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
 
@@ -1370,11 +1370,11 @@ For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the
 
 <!-- Turn_Off_Multicast-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+Specifies that link local multicast name resolution (LLMNR) is disabled on the DNS client.
 
-LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a DNS client to another DNS client on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
 
-- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the DNS client.
 
 - If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
 <!-- Turn_Off_Multicast-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 03c6eabd47..1b08f87864 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_FileSys Policy CSP
 description: Learn more about the ADMX_FileSys Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -260,7 +260,7 @@ Encrypting the page file prevents malicious users from reading data that has bee
 
 <!-- LongPathsEnabled-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
+Enabling Win32 long paths will allow manifested win32 applications and packaged Microsoft Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process.
 <!-- LongPathsEnabled-Description-End -->
 
 <!-- LongPathsEnabled-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 124f07bbb0..2664598272 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_MicrosoftDefenderAntivirus Policy CSP
 description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1523,11 +1523,13 @@ This policy setting defines the number of days items should be kept in the Quara
 
 <!-- RandomizeScheduleTaskTimes-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
+This policy setting allows you to configure the randomization of the scheduled scan start time and the scheduled definition update start time.
 
-- If you disable or don't configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
+- If you enable or don't configure this policy setting, and didn't set a randomization window in the Configure scheduled task time randomization window setting , then randomization will be added between 0-4 hours.
 
-- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
+- If you enable or don't configure this policy setting, and set a randomization window in the Configure scheduled task time randomization window setting, the configured randomization window will be used.
+
+- If you disable this policy setting, but configured the scheduled task time randomization window, randomization won't be done.
 <!-- RandomizeScheduleTaskTimes-Description-End -->
 
 <!-- RandomizeScheduleTaskTimes-Editable-Begin -->
@@ -3528,11 +3530,11 @@ This policy setting allows you to configure scanning mapped network drives.
 
 <!-- Scan_DisableScanningNetworkFiles-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
+This policy setting allows the scanning of network files using on access protection. The default is enabled. Recommended to remain enabled in most cases.
 
-- If you enable this setting, network files will be scanned.
+- If you enable or don't configure this setting, network files will be scanned.
 
-- If you disable or don't configure this setting, network files won't be scanned.
+- If you disable this setting, network files won't be scanned.
 <!-- Scan_DisableScanningNetworkFiles-Description-End -->
 
 <!-- Scan_DisableScanningNetworkFiles-Editable-Begin -->
@@ -3556,7 +3558,7 @@ This policy setting allows you to configure scanning for network files. It's rec
 | Name | Value |
 |:--|:--|
 | Name | Scan_DisableScanningNetworkFiles |
-| Friendly Name | Scan network files |
+| Friendly Name | Configure scanning of network files |
 | Location | Computer Configuration |
 | Path | Windows Components > Microsoft Defender Antivirus > Scan |
 | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@@ -5436,12 +5438,7 @@ Valid remediation action values are:
 <!-- UX_Configuration_CustomDefaultActionToastString-OmaUri-End -->
 
 <!-- UX_Configuration_CustomDefaultActionToastString-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
-
-- If you enable this setting, the additional text specified will be displayed.
-
-- If you disable or don't configure this setting, there will be no additional text displayed.
+<!-- Description-Source-Not-Found -->
 <!-- UX_Configuration_CustomDefaultActionToastString-Description-End -->
 
 <!-- UX_Configuration_CustomDefaultActionToastString-Editable-Begin -->
@@ -5458,6 +5455,7 @@ This policy setting allows you to configure whether or not to display additional
 <!-- UX_Configuration_CustomDefaultActionToastString-DFProperties-End -->
 
 <!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -5465,10 +5463,6 @@ This policy setting allows you to configure whether or not to display additional
 | Name | Value |
 |:--|:--|
 | Name | UX_Configuration_CustomDefaultActionToastString |
-| Friendly Name | Display additional text to clients when they need to perform an action |
-| Location | Computer Configuration |
-| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
-| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
 | ADMX File Name | WindowsDefender.admx |
 <!-- UX_Configuration_CustomDefaultActionToastString-AdmxBacked-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 6603256c75..3cad268ba1 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Netlogon Policy CSP
 description: Learn more about the ADMX_Netlogon Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -420,6 +420,8 @@ Note that this policy setting doesn't affect NetBIOS-based discovery for DC loca
 - If you enable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
 
 - If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
+
+This setting has no effect unless the BlockNetbiosDiscovery setting is disabled. NetBIOS-based discovery is considered unsecure, has many limitations, and will be deprecated in a future release. For these reasons, NetBIOS-based discovery isn't recommended. See <https://aka.ms/dclocatornetbiosdeprecation> for more information.
 <!-- Netlogon_AvoidFallbackNetbiosDiscovery-Description-End -->
 
 <!-- Netlogon_AvoidFallbackNetbiosDiscovery-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index d610c2f9e8..3d3913d0a5 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Printing Policy CSP
 description: Learn more about the ADMX_Printing Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -749,7 +749,7 @@ This preference allows you to change default printer management.
 
 <!-- MXDWUseLegacyOutputFormatMSXPS-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022.
+Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2025.
 
 - If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).
 
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index e43437afce..7c490ba91b 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_StartMenu Policy CSP
 description: Learn more about the ADMX_StartMenu Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -997,7 +997,7 @@ This policy setting allows you to prevent users from changing their Start screen
 |:--|:--|
 | Name | NoChangeStartMenu |
 | Friendly Name | Prevent users from customizing their Start Screen |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
 | Path | Start Menu and Taskbar |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
 | Registry Value Name | NoChangeStartMenu |
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 15a624d898..f2d2086000 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Taskbar Policy CSP
 description: Learn more about the ADMX_Taskbar Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -69,7 +69,7 @@ A reboot is required for this policy setting to take effect.
 |:--|:--|
 | Name | DisableNotificationCenter |
 | Friendly Name | Remove Notifications and Action Center |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
 | Path | Start Menu and Taskbar |
 | Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
 | Registry Value Name | DisableNotificationCenter |
@@ -748,11 +748,11 @@ This policy setting allows you to turn off automatic promotion of notification i
 
 <!-- ShowWindowsStoreAppsOnTaskbar-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows users to see Windows Store apps on the taskbar.
+This policy setting allows users to see packaged Microsoft Store apps on the taskbar.
 
-- If you enable this policy setting, users will see Windows Store apps on the taskbar.
+- If you enable this policy setting, users will see packaged Microsoft Store apps on the taskbar.
 
-- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
+- If you disable this policy setting, users won't see packaged Microsoft Store apps on the taskbar.
 
 - If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
 <!-- ShowWindowsStoreAppsOnTaskbar-Description-End -->
@@ -778,7 +778,7 @@ This policy setting allows users to see Windows Store apps on the taskbar.
 | Name | Value |
 |:--|:--|
 | Name | ShowWindowsStoreAppsOnTaskbar |
-| Friendly Name | Show Windows Store apps on the taskbar |
+| Friendly Name | Show packaged Microsoft Store apps on the taskbar |
 | Location | User Configuration |
 | Path | Start Menu and Taskbar |
 | Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index c4f588506a..d6d10aed92 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_TerminalServer Policy CSP
 description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -3585,7 +3585,7 @@ This policy setting allows you to specify which protocols can be used for Remote
 
 - If you enable this policy setting, you must specify if you would like RDP to use UDP.
 
-You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)".
+You can select one of the following options: "Use either UDP or TCP (default)" or "Use only TCP".
 
 If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index 7095179c9c..bc47c28b99 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Thumbnails Policy CSP
 description: Learn more about the ADMX_Thumbnails Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -95,11 +95,14 @@ File Explorer displays thumbnail images by default.
 <!-- Description-Source-ADMX -->
 This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
 
-File Explorer displays thumbnail images on network folders by default.
+File Explorer displays only icons and never displays thumbnail images on network folders by default.
 
-- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
+- If you disable this policy setting, File Explorer displays thumbnail images on network folders.
 
-- If you disable or don't configure this policy setting, File Explorer displays only thumbnail images on network folders.
+- If you enable or don't configure this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders.
+
+> [!NOTE]
+> Allowing the use of thumbnail images from network folders can expose the users' computers to security risks.
 <!-- DisableThumbnailsOnNetworkFolders-Description-End -->
 
 <!-- DisableThumbnailsOnNetworkFolders-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 44d542de9d..9100a4bbb3 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_WindowsExplorer Policy CSP
 description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -472,7 +472,15 @@ You can specify a known folder using its known folder id or using its canonical
 <!-- DisableMotWOnInsecurePathCopy-OmaUri-End -->
 
 <!-- DisableMotWOnInsecurePathCopy-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting determines the application of the Mark of the Web tag to files sourced from insecure locations.
+
+- If you enable this policy setting, files copied from unsecure sources won't be tagged with the Mark of the Web.
+
+- If you disable or don't configure this policy setting, files copied from unsecure sources will be tagged with the appropriate Mark of the Web.
+
+> [!NOTE]
+> Failure to tag files from unsecure sources with the Mark of the Web can expose users' computers to security risks.
 <!-- DisableMotWOnInsecurePathCopy-Description-End -->
 
 <!-- DisableMotWOnInsecurePathCopy-Editable-Begin -->
@@ -489,7 +497,6 @@ You can specify a known folder using its known folder id or using its canonical
 <!-- DisableMotWOnInsecurePathCopy-DFProperties-End -->
 
 <!-- DisableMotWOnInsecurePathCopy-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -497,6 +504,11 @@ You can specify a known folder using its known folder id or using its canonical
 | Name | Value |
 |:--|:--|
 | Name | DisableMotWOnInsecurePathCopy |
+| Friendly Name | Do not apply the Mark of the Web tag to files copied from insecure sources |
+| Location | Computer Configuration |
+| Path | WindowsComponents > File Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | DisableMotWOnInsecurePathCopy |
 | ADMX File Name | WindowsExplorer.admx |
 <!-- DisableMotWOnInsecurePathCopy-AdmxBacked-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index bfddc2641c..b1b7b3fd75 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_WPN Policy CSP
 description: Learn more about the ADMX_WPN Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -254,7 +254,7 @@ No reboots or service restarts are required for this policy setting to take effe
 |:--|:--|
 | Name | NoToastNotification |
 | Friendly Name | Turn off toast notifications |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
 | Path | Start Menu and Taskbar > Notifications |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
 | Registry Value Name | NoToastApplicationNotification |
diff --git a/windows/client-management/mdm/policy-csp-appdeviceinventory.md b/windows/client-management/mdm/policy-csp-appdeviceinventory.md
index 7e0fb8176b..aa8f597ae9 100644
--- a/windows/client-management/mdm/policy-csp-appdeviceinventory.md
+++ b/windows/client-management/mdm/policy-csp-appdeviceinventory.md
@@ -1,7 +1,7 @@
 ---
 title: AppDeviceInventory Policy CSP
 description: Learn more about the AppDeviceInventory Area in Policy CSP.
-ms.date: 08/07/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -33,7 +33,12 @@ ms.date: 08/07/2024
 <!-- TurnOffAPISamping-OmaUri-End -->
 
 <!-- TurnOffAPISamping-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls the state of API Sampling. API Sampling monitors the sampled collection of application programming interfaces used during system runtime to help diagnose compatibility problems.
+
+- If you enable this policy, API Sampling won't be run.
+
+- If you disable or don't configure this policy, API Sampling will be turned on.
 <!-- TurnOffAPISamping-Description-End -->
 
 <!-- TurnOffAPISamping-Editable-Begin -->
@@ -50,7 +55,6 @@ ms.date: 08/07/2024
 <!-- TurnOffAPISamping-DFProperties-End -->
 
 <!-- TurnOffAPISamping-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -58,6 +62,11 @@ ms.date: 08/07/2024
 | Name | Value |
 |:--|:--|
 | Name | TurnOffAPISamping |
+| Friendly Name | Turn off API Sampling |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableAPISamping |
 | ADMX File Name | AppDeviceInventory.admx |
 <!-- TurnOffAPISamping-AdmxBacked-End -->
 
@@ -83,7 +92,12 @@ ms.date: 08/07/2024
 <!-- TurnOffApplicationFootprint-OmaUri-End -->
 
 <!-- TurnOffApplicationFootprint-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls the state of Application Footprint. Application Footprint monitors the sampled collection of registry and file usage to help diagnose compatibility problems.
+
+- If you enable this policy, Application Footprint won't be run.
+
+- If you disable or don't configure this policy, Application Footprint will be turned on.
 <!-- TurnOffApplicationFootprint-Description-End -->
 
 <!-- TurnOffApplicationFootprint-Editable-Begin -->
@@ -100,7 +114,6 @@ ms.date: 08/07/2024
 <!-- TurnOffApplicationFootprint-DFProperties-End -->
 
 <!-- TurnOffApplicationFootprint-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -108,6 +121,11 @@ ms.date: 08/07/2024
 | Name | Value |
 |:--|:--|
 | Name | TurnOffApplicationFootprint |
+| Friendly Name | Turn off Application Footprint |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableApplicationFootprint |
 | ADMX File Name | AppDeviceInventory.admx |
 <!-- TurnOffApplicationFootprint-AdmxBacked-End -->
 
@@ -133,7 +151,12 @@ ms.date: 08/07/2024
 <!-- TurnOffInstallTracing-OmaUri-End -->
 
 <!-- TurnOffInstallTracing-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls the state of Install Tracing. Install Tracing is a mechanism that tracks application installs to help diagnose compatibility problems.
+
+- If you enable this policy, Install Tracing won't be run.
+
+- If you disable or don't configure this policy, Install Tracing will be turned on.
 <!-- TurnOffInstallTracing-Description-End -->
 
 <!-- TurnOffInstallTracing-Editable-Begin -->
@@ -150,7 +173,6 @@ ms.date: 08/07/2024
 <!-- TurnOffInstallTracing-DFProperties-End -->
 
 <!-- TurnOffInstallTracing-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -158,6 +180,11 @@ ms.date: 08/07/2024
 | Name | Value |
 |:--|:--|
 | Name | TurnOffInstallTracing |
+| Friendly Name | Turn off Install Tracing |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableInstallTracing |
 | ADMX File Name | AppDeviceInventory.admx |
 <!-- TurnOffInstallTracing-AdmxBacked-End -->
 
@@ -167,6 +194,65 @@ ms.date: 08/07/2024
 
 <!-- TurnOffInstallTracing-End -->
 
+<!-- TurnOffWin32AppBackup-Begin -->
+## TurnOffWin32AppBackup
+
+<!-- TurnOffWin32AppBackup-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- TurnOffWin32AppBackup-Applicability-End -->
+
+<!-- TurnOffWin32AppBackup-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/AppDeviceInventory/TurnOffWin32AppBackup
+```
+<!-- TurnOffWin32AppBackup-OmaUri-End -->
+
+<!-- TurnOffWin32AppBackup-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls the state of the compatibility scan for backed up applications. The compatibility scan for backed up applications evaluates for compatibility problems in installed applications.
+
+- If you enable this policy, the compatibility scan for backed up applications won't be run.
+
+- If you disable or don't configure this policy, the compatibility scan for backed up applications will be run.
+<!-- TurnOffWin32AppBackup-Description-End -->
+
+<!-- TurnOffWin32AppBackup-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TurnOffWin32AppBackup-Editable-End -->
+
+<!-- TurnOffWin32AppBackup-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- TurnOffWin32AppBackup-DFProperties-End -->
+
+<!-- TurnOffWin32AppBackup-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffWin32AppBackup |
+| Friendly Name | Turn off compatibility scan for backed up applications |
+| Location | Computer Configuration |
+| Path | Windows Components > App and Device Inventory |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisableWin32AppBackup |
+| ADMX File Name | AppDeviceInventory.admx |
+<!-- TurnOffWin32AppBackup-AdmxBacked-End -->
+
+<!-- TurnOffWin32AppBackup-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TurnOffWin32AppBackup-Examples-End -->
+
+<!-- TurnOffWin32AppBackup-End -->
+
 <!-- AppDeviceInventory-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- AppDeviceInventory-CspMoreInfo-End -->
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 7b1698c462..885f96e31a 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,7 +1,7 @@
 ---
 title: ApplicationManagement Policy CSP
 description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -30,11 +30,11 @@ ms.date: 04/10/2024
 
 <!-- AllowAllTrustedApps-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
+This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed packaged Microsoft Store apps.
 
-- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
+- If you enable this policy setting, you can install any LOB or developer-signed packaged Microsoft Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).
 
-- If you disable or don't configure this policy setting, you can't install LOB or developer-signed Windows Store apps.
+- If you disable or don't configure this policy setting, you can't install LOB or developer-signed packaged Microsoft Store apps.
 <!-- AllowAllTrustedApps-Description-End -->
 
 <!-- AllowAllTrustedApps-Editable-Begin -->
@@ -269,7 +269,7 @@ Allows or denies development of Microsoft Store applications and installing them
 | Name | Value |
 |:--|:--|
 | Name | AllowDevelopmentWithoutDevLicense |
-| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) |
+| Friendly Name | Allows development of packaged Microsoft Store apps and installing them from an integrated development environment (IDE) |
 | Location | Computer Configuration |
 | Path | Windows Components > App Package Deployment |
 | Registry Key Name | Software\Policies\Microsoft\Windows\Appx |
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 20cddfc183..2b19c52a8c 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,7 +1,7 @@
 ---
 title: AppRuntime Policy CSP
 description: Learn more about the AppRuntime Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,9 +32,9 @@ ms.date: 01/18/2024
 
 <!-- AllowMicrosoftAccountsToBeOptional-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
+This policy setting lets you control whether Microsoft accounts are optional for packaged Microsoft Store apps that require an account to sign in. This policy only affects packaged Microsoft Store apps that support it.
 
-- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
+- If you enable this policy setting, packaged Microsoft Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
 
 - If you disable or don't configure this policy setting, users will need to sign in with a Microsoft account.
 <!-- AllowMicrosoftAccountsToBeOptional-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 6e677aa3b7..220712712a 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,7 +1,7 @@
 ---
 title: AppVirtualization Policy CSP
 description: Learn more about the AppVirtualization Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -33,6 +33,9 @@ ms.date: 01/18/2024
 <!-- AllowAppVClient-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
+
+> [!NOTE]
+> Application Virtualization (App-V) will reach end-of-life April 2026. After that time, the App-V client will be excluded from new versions of the Windows operating system. See aka.ms/AppVDeprecation for more information.
 <!-- AllowAppVClient-Description-End -->
 
 <!-- AllowAppVClient-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 27aae04079..11bf016054 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,7 +1,7 @@
 ---
 title: Cryptography Policy CSP
 description: Learn more about the Cryptography Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
 <!-- Cryptography-Begin -->
 # Policy CSP - Cryptography
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Cryptography-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Cryptography-Editable-End -->
@@ -79,7 +77,7 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
 <!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureEllipticCurveCryptography-Applicability-End -->
 
 <!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
@@ -146,7 +144,7 @@ CertUtil.exe -DisplayEccCurve.
 <!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
 
 <!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
@@ -196,7 +194,7 @@ System cryptography: Force strong key protection for user keys stored on the com
 <!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
 
 <!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
@@ -235,7 +233,7 @@ Override minimal enabled TLS version for client role. Last write wins.
 <!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
 
 <!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
@@ -274,7 +272,7 @@ Override minimal enabled TLS version for server role. Last write wins.
 <!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
 
 <!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
@@ -313,7 +311,7 @@ Override minimal enabled TLS version for client role. Last write wins.
 <!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
 
 <!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index a790f24a26..2eef54311e 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,7 +1,7 @@
 ---
 title: Defender Policy CSP
 description: Learn more about the Defender Area in Policy CSP.
-ms.date: 06/28/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -745,7 +745,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
 | Name | Value |
 |:--|:--|
 | Name | Scan_DisableScanningNetworkFiles |
-| Friendly Name | Scan network files |
+| Friendly Name | Configure scanning of network files |
 | Location | Computer Configuration |
 | Path | Windows Components > Microsoft Defender Antivirus > Scan |
 | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 2b3fea16a4..c1806d30f7 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -1,7 +1,7 @@
 ---
 title: DesktopAppInstaller Policy CSP
 description: Learn more about the DesktopAppInstaller Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -11,8 +11,6 @@ ms.date: 01/18/2024
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- DesktopAppInstaller-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DesktopAppInstaller-Editable-End -->
@@ -215,7 +213,14 @@ Users will still be able to execute the *winget* command. The default help will
 <!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-End -->
 
 <!-- EnableBypassCertificatePinningForMicrosoftStore-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
+
+- If you enable this policy, the [Windows Package Manager](/windows/package-manager/) will bypass the Microsoft Store certificate validation.
+
+- If you disable this policy, the [Windows Package Manager](/windows/package-manager/) will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
+
+- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
 <!-- EnableBypassCertificatePinningForMicrosoftStore-Description-End -->
 
 <!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-Begin -->
@@ -232,7 +237,6 @@ Users will still be able to execute the *winget* command. The default help will
 <!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-End -->
 
 <!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -240,6 +244,11 @@ Users will still be able to execute the *winget* command. The default help will
 | Name | Value |
 |:--|:--|
 | Name | EnableBypassCertificatePinningForMicrosoftStore |
+| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
 | ADMX File Name | DesktopAppInstaller.admx |
 <!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-End -->
 
@@ -445,7 +454,14 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
 <!-- EnableLocalArchiveMalwareScanOverride-OmaUri-End -->
 
 <!-- EnableLocalArchiveMalwareScanOverride-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
+
+- If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
+
+- If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
+
+- If you don't configure this policy, the [Windows Package Manager](/windows/package-manager/) administrator settings will be adhered to.
 <!-- EnableLocalArchiveMalwareScanOverride-Description-End -->
 
 <!-- EnableLocalArchiveMalwareScanOverride-Editable-Begin -->
@@ -462,7 +478,6 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
 <!-- EnableLocalArchiveMalwareScanOverride-DFProperties-End -->
 
 <!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -470,6 +485,11 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
 | Name | Value |
 |:--|:--|
 | Name | EnableLocalArchiveMalwareScanOverride |
+| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
 | ADMX File Name | DesktopAppInstaller.admx |
 <!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-End -->
 
@@ -618,9 +638,9 @@ This policy controls the Microsoft Store source included with the [Windows Packa
 <!-- Description-Source-ADMX -->
 This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
 
-- If you enable or don't configure this setting, users will be able to install packages from websites that use this protocol.
+- If you enable this setting, users will be able to install packages from websites that use this protocol.
 
-- If you disable this setting, users won't be able to install packages from websites that use this protocol.
+- If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
 <!-- EnableMSAppInstallerProtocol-Description-End -->
 
 <!-- EnableMSAppInstallerProtocol-Editable-Begin -->
@@ -724,7 +744,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
 
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
@@ -734,7 +754,14 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
 
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy determines if a user can perform an action using the [Windows Package Manager](/windows/package-manager/) through a command line interface (WinGet CLI, or WinGet PowerShell).
+
+If you disable this policy, users won't be able execute the [Windows Package Manager](/windows/package-manager/) CLI, and PowerShell cmdlets.
+
+If you enable, or don't configuring this policy, users will be able to execute the [Windows Package Manager](/windows/package-manager/) CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
+
+This policy doesn't override the "Enable App Installer" policy.
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
 
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
@@ -751,7 +778,6 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
 
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -759,6 +785,11 @@ The settings are stored inside of a .json file on the user’s system. It may be
 | Name | Value |
 |:--|:--|
 | Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| Friendly Name | Enable Windows Package Manager command line interfaces |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
 | ADMX File Name | DesktopAppInstaller.admx |
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
 
@@ -774,7 +805,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
 
 <!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
@@ -784,7 +815,12 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
 
 <!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) configuration feature can be used by users.
+
+- If you enable or don't configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
+
+- If you disable this setting, users won't be able to use the [Windows Package Manager](/windows/package-manager/) configuration feature.
 <!-- EnableWindowsPackageManagerConfiguration-Description-End -->
 
 <!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
@@ -801,7 +837,6 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
 
 <!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -809,6 +844,11 @@ The settings are stored inside of a .json file on the user’s system. It may be
 | Name | Value |
 |:--|:--|
 | Name | EnableWindowsPackageManagerConfiguration |
+| Friendly Name | Enable Windows Package Manager Configuration |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableWindowsPackageManagerConfiguration |
 | ADMX File Name | DesktopAppInstaller.admx |
 <!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
 
@@ -835,9 +875,9 @@ The settings are stored inside of a .json file on the user’s system. It may be
 
 <!-- SourceAutoUpdateInterval-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls the auto update interval for package-based sources.
+This policy controls the auto-update interval for package-based sources. The default source for [Windows Package Manager](/windows/package-manager/) is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
 
-- If you disable or don't configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
+- If you disable or don't configure this setting, the default interval or the value specified in the [Windows Package Manager](/windows/package-manager/) settings will be used.
 
 - If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
 <!-- SourceAutoUpdateInterval-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 259d88a891..c294633d53 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceLock Policy CSP
 description: Learn more about the DeviceLock Area in Policy CSP.
-ms.date: 08/05/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -11,8 +11,6 @@ ms.date: 08/05/2024
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- DeviceLock-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!IMPORTANT]
@@ -25,7 +23,7 @@ ms.date: 08/05/2024
 <!-- AccountLockoutPolicy-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AccountLockoutPolicy-Applicability-End -->
 
 <!-- AccountLockoutPolicy-OmaUri-Begin -->
@@ -64,7 +62,7 @@ Account lockout threshold - This security setting determines the number of faile
 <!-- AllowAdministratorLockout-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllowAdministratorLockout-Applicability-End -->
 
 <!-- AllowAdministratorLockout-OmaUri-Begin -->
@@ -329,7 +327,7 @@ Determines the type of PIN or password required. This policy only applies if the
 <!-- ClearTextPassword-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ClearTextPassword-Applicability-End -->
 
 <!-- ClearTextPassword-OmaUri-Begin -->
@@ -685,7 +683,7 @@ The number of authentication failures allowed before the device will be wiped. A
 <!-- MaximumPasswordAge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MaximumPasswordAge-Applicability-End -->
 
 <!-- MaximumPasswordAge-OmaUri-Begin -->
@@ -1025,7 +1023,7 @@ This security setting determines the period of time (in days) that a password mu
 <!-- MinimumPasswordLength-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MinimumPasswordLength-Applicability-End -->
 
 <!-- MinimumPasswordLength-OmaUri-Begin -->
@@ -1078,7 +1076,7 @@ This security setting determines the least number of characters that a password
 <!-- MinimumPasswordLengthAudit-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MinimumPasswordLengthAudit-Applicability-End -->
 
 <!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
@@ -1128,7 +1126,7 @@ This security setting determines the minimum password length for which password
 <!-- PasswordComplexity-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- PasswordComplexity-Applicability-End -->
 
 <!-- PasswordComplexity-OmaUri-Begin -->
@@ -1188,7 +1186,7 @@ Complexity requirements are enforced when passwords are changed or created.
 <!-- PasswordHistorySize-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- PasswordHistorySize-Applicability-End -->
 
 <!-- PasswordHistorySize-OmaUri-Begin -->
@@ -1360,7 +1358,7 @@ If you enable this setting, users will no longer be able to modify slide show se
 <!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
 
 <!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index f0831810bd..d6932eb1ca 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,7 +1,7 @@
 ---
 title: Experience Policy CSP
 description: Learn more about the Experience Area in Policy CSP.
-ms.date: 08/07/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 08/07/2024
 <!-- Experience-Begin -->
 # Policy CSP - Experience
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Experience-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Experience-Editable-End -->
@@ -484,7 +482,7 @@ Allow screen capture.
 <!-- AllowScreenRecorder-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllowScreenRecorder-Applicability-End -->
 
 <!-- AllowScreenRecorder-OmaUri-Begin -->
@@ -494,7 +492,7 @@ Allow screen capture.
 <!-- AllowScreenRecorder-OmaUri-End -->
 
 <!-- AllowScreenRecorder-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app.
 
 - If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app.
@@ -531,7 +529,12 @@ This policy setting allows you to control whether screen recording functionality
 | Name | Value |
 |:--|:--|
 | Name | AllowScreenRecorder |
-| Path | Programs > AT > WindowsComponents > SnippingTool |
+| Friendly Name | Allow Screen Recorder |
+| Location | User Configuration |
+| Path | Windows Components > Snipping Tool |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\SnippingTool |
+| Registry Value Name | AllowScreenRecorder |
+| ADMX File Name | Programs.admx |
 <!-- AllowScreenRecorder-GpMapping-End -->
 
 <!-- AllowScreenRecorder-Examples-Begin -->
@@ -1681,7 +1684,7 @@ This policy setting lets you turn off cloud consumer account state content in al
 <!-- DisableTextTranslation-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableTextTranslation-Applicability-End -->
 
 <!-- DisableTextTranslation-OmaUri-Begin -->
@@ -1887,7 +1890,7 @@ _**Turn syncing off by default but don’t disable**_
 <!-- EnableOrganizationalMessages-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4828] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 with [KB5041582](https://support.microsoft.com/help/5041582) [10.0.19045.4842] and later <br> ✅ Windows 11, version 22H2 with [KB5020044](https://support.microsoft.com/help/5020044) [10.0.22621.900] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableOrganizationalMessages-Applicability-End -->
 
 <!-- EnableOrganizationalMessages-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index fb55df7a5d..73f6d2a6de 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,7 +1,7 @@
 ---
 title: FileExplorer Policy CSP
 description: Learn more about the FileExplorer Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -138,7 +138,7 @@ When This PC location is restricted, give the user the option to enumerate and n
 
 <!-- DisableGraphRecentItems-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
+Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, Details pane, etc.
 <!-- DisableGraphRecentItems-Description-End -->
 
 <!-- DisableGraphRecentItems-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index 3ef891ed68..1cf592ddff 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -1,7 +1,7 @@
 ---
 title: HumanPresence Policy CSP
 description: Learn more about the HumanPresence Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
 <!-- HumanPresence-Begin -->
 # Policy CSP - HumanPresence
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- HumanPresence-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- HumanPresence-Editable-End -->
@@ -21,7 +19,7 @@ ms.date: 01/18/2024
 <!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ForceAllowDimWhenExternalDisplayConnected-Applicability-End -->
 
 <!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-Begin -->
@@ -85,7 +83,7 @@ Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forc
 <!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ForceAllowLockWhenExternalDisplayConnected-Applicability-End -->
 
 <!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-Begin -->
@@ -149,7 +147,7 @@ Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced
 <!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ForceAllowWakeWhenExternalDisplayConnected-Applicability-End -->
 
 <!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-Begin -->
@@ -213,7 +211,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
 <!-- ForceDisableWakeWhenBatterySaverOn-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ForceDisableWakeWhenBatterySaverOn-Applicability-End -->
 
 <!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 5e218fe45c..bfcf5c6f27 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,7 +1,7 @@
 ---
 title: InternetExplorer Policy CSP
 description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1005,7 +1005,12 @@ Note. It's recommended to configure template policy settings in one Group Policy
 <!-- AllowLegacyURLFields-OmaUri-End -->
 
 <!-- AllowLegacyURLFields-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows the use of some disabled functionality, such as WorkingDirectory field or pluggable protocol handling, in Internet Shortcut files.
+
+If you enable this policy, disabled functionality for Internet Shortcut files will be re-enabled.
+
+If you disable, or don't configure this policy, some functionality for Internet Shortcut files, such as WorkingDirectory field or pluggable protocol handling, will be disabled.
 <!-- AllowLegacyURLFields-Description-End -->
 
 <!-- AllowLegacyURLFields-Editable-Begin -->
@@ -1022,7 +1027,6 @@ Note. It's recommended to configure template policy settings in one Group Policy
 <!-- AllowLegacyURLFields-DFProperties-End -->
 
 <!-- AllowLegacyURLFields-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -1030,6 +1034,11 @@ Note. It's recommended to configure template policy settings in one Group Policy
 | Name | Value |
 |:--|:--|
 | Name | AllowLegacyURLFields |
+| Friendly Name | Allow legacy functionality for Internet Shortcut files |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
+| Registry Value Name | AllowLegacyURLFields |
 | ADMX File Name | inetres.admx |
 <!-- AllowLegacyURLFields-AdmxBacked-End -->
 
@@ -7923,13 +7932,11 @@ This policy setting allows you to manage the opening of windows and frames and a
 
 <!-- JScriptReplacement-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.
+This policy setting specifies whether JScript or JScript9Legacy is loaded.
 
-- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.
+- If you enable this policy setting or not configured, JScript9Legacy will be loaded in situations where JScript is instantiated.
 
 - If you disable this policy, then JScript will be utilized.
-
-- If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.
 <!-- JScriptReplacement-Description-End -->
 
 <!-- JScriptReplacement-Editable-Begin -->
@@ -7953,7 +7960,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS
 | Name | Value |
 |:--|:--|
 | Name | JScriptReplacement |
-| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. |
+| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript. |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Internet Explorer |
 | Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main |
@@ -13407,7 +13414,7 @@ If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode
 
 If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
 
-For more information, see <https://go.microsoft.com/fwlink/?linkid=2102115>
+For more information, see <https://go.microsoft.com/fwlink/?linkid=2220107>
 <!-- ResetZoomForDialogInIEMode-Description-End -->
 
 <!-- ResetZoomForDialogInIEMode-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index b3e44fe44d..b80bf2d206 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,7 +1,7 @@
 ---
 title: LanmanWorkstation Policy CSP
 description: Learn more about the LanmanWorkstation Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -36,6 +36,8 @@ This policy setting determines if the SMB client will allow insecure guest logon
 
 - If you disable this policy setting, the SMB client will reject insecure guest logons.
 
+If you enable signing, the SMB client will reject insecure guest logons.
+
 Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access".
 <!-- EnableInsecureGuestLogons-Description-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8caa34c334..4333825aac 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -1,7 +1,7 @@
 ---
 title: LocalPoliciesSecurityOptions Policy CSP
 description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -360,7 +360,7 @@ Accounts: Rename guest account This security setting determines whether a differ
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
 
 <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@@ -404,7 +404,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
 <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
 
 <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@@ -445,7 +445,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
 <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
 
 <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@@ -718,7 +718,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
 <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
 
 <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@@ -771,7 +771,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
 <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
 
 <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@@ -825,7 +825,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
 <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
 
 <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@@ -878,7 +878,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
 <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
 
 <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@@ -928,7 +928,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
 <!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
 
 <!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@@ -982,7 +982,7 @@ Domain member: Disable machine account password changes Determines whether a dom
 <!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
 
 <!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@@ -1035,7 +1035,7 @@ Domain member: Maximum machine account password age This security setting determ
 <!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
 
 <!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@@ -1335,7 +1335,7 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
 <!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
 
 <!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
@@ -1535,7 +1535,7 @@ Interactive logon: Message title for users attempting to log on This security se
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
 
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@@ -1575,7 +1575,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
 <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
 
 <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@@ -1864,7 +1864,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
 <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
 
 <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@@ -2047,7 +2047,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
 <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
 
 <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@@ -2090,7 +2090,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
 <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
 
 <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@@ -2131,7 +2131,7 @@ Microsoft network server: Server SPN target name validation level This policy se
 <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Applicability-End -->
 
 <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-OmaUri-Begin -->
@@ -2312,7 +2312,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
 <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
 
 <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@@ -2360,7 +2360,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
 <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
 
 <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@@ -2412,7 +2412,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
 <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
 
 <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@@ -2452,7 +2452,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
 <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
 
 <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@@ -2495,7 +2495,7 @@ Network access: Remotely accessible registry paths This security setting determi
 <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
 
 <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@@ -2644,7 +2644,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
 <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
 
 <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@@ -2684,7 +2684,7 @@ Network access: Shares that can be accessed anonymously This security setting de
 <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
 
 <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@@ -2728,7 +2728,7 @@ Network access: Sharing and security model for local accounts This security sett
 <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
 
 <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@@ -2958,7 +2958,7 @@ Network security: Don't store LAN Manager hash value on next password change Thi
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Applicability-End -->
 
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-OmaUri-Begin -->
@@ -3083,7 +3083,7 @@ Network security LAN Manager authentication level This security setting determin
 <!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
 
 <!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@@ -3489,7 +3489,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
 <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
 
 <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@@ -3539,7 +3539,7 @@ Recovery console: Allow automatic administrative logon This security setting det
 <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
 
 <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@@ -3696,7 +3696,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
 <!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
 
 <!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@@ -3737,7 +3737,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
 <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
 
 <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@@ -3787,7 +3787,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
 <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
 
 <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
index d4773d4c5d..d29d14edd8 100644
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -1,7 +1,7 @@
 ---
 title: LocalSecurityAuthority Policy CSP
 description: Learn more about the LocalSecurityAuthority Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -93,7 +93,7 @@ This policy controls the configuration under which LSASS loads custom SSPs and A
 <!-- Description-Source-ADMX -->
 This policy controls the configuration under which LSASS is run.
 
-- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
+- If you don't configure this policy and there is no current setting in the registry, LSA will run as protected process for all clean installed, HVCI capable, client SKUs. This configuration isn't UEFI locked. This can be overridden if the policy is configured.
 
 - If you configure and set this policy setting to "Disabled", LSA won't run as a protected process.
 
@@ -135,7 +135,7 @@ This policy controls the configuration under which LSASS is run.
 | Friendly Name | Configures LSASS to run as a protected process |
 | Location | Computer Configuration |
 | Path | System > Local Security Authority |
-| Registry Key Name | System\CurrentControlSet\Control\Lsa |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
 | ADMX File Name | LocalSecurityAuthority.admx |
 <!-- ConfigureLsaProtectedProcess-GpMapping-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index da47e000cd..75b88b507b 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,7 +1,7 @@
 ---
 title: MSSecurityGuide Policy CSP
 description: Learn more about the MSSecurityGuide Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -11,8 +11,6 @@ ms.date: 01/31/2024
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- MSSecurityGuide-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- MSSecurityGuide-Editable-End -->
@@ -223,7 +221,7 @@ ms.date: 01/31/2024
 <!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- NetBTNodeTypeConfiguration-Applicability-End -->
 
 <!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 5864c486c1..a8158e010d 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -1,7 +1,7 @@
 ---
 title: NetworkListManager Policy CSP
 description: Learn more about the NetworkListManager Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 08/06/2024
 <!-- NetworkListManager-Begin -->
 # Policy CSP - NetworkListManager
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- NetworkListManager-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- NetworkListManager-Editable-End -->
@@ -21,7 +19,7 @@ ms.date: 08/06/2024
 <!-- AllNetworks_NetworkIcon-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllNetworks_NetworkIcon-Applicability-End -->
 
 <!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@@ -70,7 +68,7 @@ This policy setting allows you to specify whether users can change the network i
 <!-- AllNetworks_NetworkLocation-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllNetworks_NetworkLocation-Applicability-End -->
 
 <!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@@ -119,7 +117,7 @@ This policy setting allows you to specify whether users can change the network l
 <!-- AllNetworks_NetworkName-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllNetworks_NetworkName-Applicability-End -->
 
 <!-- AllNetworks_NetworkName-OmaUri-Begin -->
@@ -262,7 +260,7 @@ This policy setting provides the string that names a network. If this setting is
 <!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- IdentifyingNetworks_LocationType-Applicability-End -->
 
 <!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@@ -311,7 +309,7 @@ This policy setting allows you to configure the Network Location for networks th
 <!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- UnidentifiedNetworks_LocationType-Applicability-End -->
 
 <!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@@ -360,7 +358,7 @@ This policy setting allows you to configure the Network Location type for networ
 <!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
 
 <!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 65d5cb42bc..8c03b26633 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -1,7 +1,7 @@
 ---
 title: Notifications Policy CSP
 description: Learn more about the Notifications Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
 <!-- Notifications-Begin -->
 # Policy CSP - Notifications
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Notifications-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Notifications-Editable-End -->
@@ -21,7 +19,7 @@ ms.date: 01/18/2024
 <!-- DisableAccountNotifications-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableAccountNotifications-Applicability-End -->
 
 <!-- DisableAccountNotifications-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index fa423988bf..098733446d 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -1,7 +1,7 @@
 ---
 title: Printers Policy CSP
 description: Learn more about the Printers Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -369,7 +369,7 @@ Determines whether Redirection Guard is enabled for the print spooler.
 
 You can enable this setting to configure the Redirection Guard policy being applied to spooler.
 
-- If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
+- If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.
 
 - If you enable this setting you may select the following options:
 
@@ -435,7 +435,12 @@ The following are the supported values:
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-OmaUri-End -->
 
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.
+
+By default packet level privacy is enabled for RPC for incoming connections.
+
+If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-Description-End -->
 
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-Editable-Begin -->
@@ -452,7 +457,6 @@ The following are the supported values:
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-DFProperties-End -->
 
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -460,6 +464,11 @@ The following are the supported values:
 | Name | Value |
 |:--|:--|
 | Name | ConfigureRpcAuthnLevelPrivacyEnabled |
+| Friendly Name | Configure RPC packet level privacy setting for incoming connections |
+| Location | Computer Configuration |
+| Path | Printers |
+| Registry Key Name | System\CurrentControlSet\Control\Print |
+| Registry Value Name | RpcAuthnLevelPrivacyEnabled |
 | ADMX File Name | Printing.admx |
 <!-- ConfigureRpcAuthnLevelPrivacyEnabled-AdmxBacked-End -->
 
@@ -685,7 +694,16 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
 <!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
 
 <!-- ConfigureWindowsProtectedPrint-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+Determines whether Windows protected print is enabled on this computer.
+
+By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.
+
+- If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.
+
+- If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.
+
+For more information, please see [insert link to web page with WPP info]
 <!-- ConfigureWindowsProtectedPrint-Description-End -->
 
 <!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
@@ -702,7 +720,6 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
 <!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
 
 <!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -710,6 +727,11 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
 | Name | Value |
 |:--|:--|
 | Name | ConfigureWindowsProtectedPrint |
+| Friendly Name | Configure Windows protected print |
+| Location | Computer Configuration |
+| Path | Printers |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\WPP |
+| Registry Value Name | WindowsProtectedPrintGroupPolicyState |
 | ADMX File Name | Printing.admx |
 <!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 895ee8c286..35949bfb98 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,7 +1,7 @@
 ---
 title: Privacy Policy CSP
 description: Learn more about the Privacy Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2398,207 +2398,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
 
 <!-- LetAppsAccessGazeInput_UserInControlOfTheseApps-End -->
 
-<!-- LetAppsAccessGenerativeAI-Begin -->
-## LetAppsAccessGenerativeAI
-
-<!-- LetAppsAccessGenerativeAI-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-<!-- LetAppsAccessGenerativeAI-Applicability-End -->
-
-<!-- LetAppsAccessGenerativeAI-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI
-```
-<!-- LetAppsAccessGenerativeAI-OmaUri-End -->
-
-<!-- LetAppsAccessGenerativeAI-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting specifies whether Windows apps can use generative AI features of Windows.
-<!-- LetAppsAccessGenerativeAI-Description-End -->
-
-<!-- LetAppsAccessGenerativeAI-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI-Editable-End -->
-
-<!-- LetAppsAccessGenerativeAI-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-2]` |
-| Default Value  | 0 |
-<!-- LetAppsAccessGenerativeAI-DFProperties-End -->
-
-<!-- LetAppsAccessGenerativeAI-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_Enum |
-<!-- LetAppsAccessGenerativeAI-GpMapping-End -->
-
-<!-- LetAppsAccessGenerativeAI-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI-Examples-End -->
-
-<!-- LetAppsAccessGenerativeAI-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Begin -->
-## LetAppsAccessGenerativeAI_ForceAllowTheseApps
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Applicability-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceAllowTheseApps
-```
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-OmaUri-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Description-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Editable-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-DFProperties-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_ForceAllowTheseApps_List |
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-GpMapping-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-Examples-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceAllowTheseApps-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Begin -->
-## LetAppsAccessGenerativeAI_ForceDenyTheseApps
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Applicability-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_ForceDenyTheseApps
-```
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-OmaUri-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use generative AI features of Windows. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Description-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Editable-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-DFProperties-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_ForceDenyTheseApps_List |
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-GpMapping-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-Examples-End -->
-
-<!-- LetAppsAccessGenerativeAI_ForceDenyTheseApps-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Begin -->
-## LetAppsAccessGenerativeAI_UserInControlOfTheseApps
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Applicability-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGenerativeAI_UserInControlOfTheseApps
-```
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-OmaUri-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the generative AI setting for the listed apps. This setting overrides the default LetAppsAccessGenerativeAI policy setting for the specified apps.
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Description-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Editable-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `;`) |
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-DFProperties-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LetAppsAccessGenerativeAI |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessGenerativeAI_UserInControlOfTheseApps_List |
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-GpMapping-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-Examples-End -->
-
-<!-- LetAppsAccessGenerativeAI_UserInControlOfTheseApps-End -->
-
 <!-- LetAppsAccessGraphicsCaptureProgrammatic-Begin -->
 ## LetAppsAccessGraphicsCaptureProgrammatic
 
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 68895bc0f7..70acc4ac5e 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,7 +1,7 @@
 ---
 title: RemoteDesktopServices Policy CSP
 description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -156,7 +156,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockLegacyAuthn-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisconnectOnLockLegacyAuthn-Applicability-End -->
 
 <!-- DisconnectOnLockLegacyAuthn-OmaUri-Begin -->
@@ -166,7 +166,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockLegacyAuthn-OmaUri-End -->
 
 <!-- DisconnectOnLockLegacyAuthn-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
+
+This policy applies only when using legacy authentication to authenticate to the remote PC. Legacy authentication is limited to username and password, or certificates like smartcards. Legacy authentication doesn't leverage the Microsoft identity platform, such as Microsoft Entra ID. Legacy authentication includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
+
+- If you enable this policy setting, Remote Desktop connections using legacy authentication will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and re-enter their credentials when prompted.
+
+- If you disable or don't configure this policy setting, Remote Desktop connections using legacy authentication will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
 <!-- DisconnectOnLockLegacyAuthn-Description-End -->
 
 <!-- DisconnectOnLockLegacyAuthn-Editable-Begin -->
@@ -183,7 +190,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockLegacyAuthn-DFProperties-End -->
 
 <!-- DisconnectOnLockLegacyAuthn-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -191,7 +197,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 | Name | Value |
 |:--|:--|
 | Name | TS_DISCONNECT_ON_LOCK_POLICY |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name |  Disconnect remote session on lock for legacy authentication |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisconnectOnLockLegacy |
+| ADMX File Name | TerminalServer.admx |
 <!-- DisconnectOnLockLegacyAuthn-AdmxBacked-End -->
 
 <!-- DisconnectOnLockLegacyAuthn-Examples-Begin -->
@@ -206,7 +217,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Applicability-End -->
 
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-Begin -->
@@ -216,7 +227,14 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-OmaUri-End -->
 
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure the user experience when the Remote Desktop session is locked by the user or by a policy. You can specify whether the remote session will show the remote lock screen or disconnect when the remote session is locked. Disconnecting the remote session ensures that a remote session can't be left on the lock screen and can't reconnect automatically due to loss of network connectivity.
+
+This policy applies only when using an identity provider that uses the Microsoft identity platform, such as Microsoft Entra ID, to authenticate to the remote PC. This policy doesn't apply when using Legacy authentication which includes the NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols.
+
+- If you enable or don't configure this policy setting, Remote Desktop connections using the Microsoft identity platform will disconnect the remote session when the remote session is locked. Users can reconnect when they're ready and can use passwordless authentication if configured.
+
+- If you disable this policy setting, Remote Desktop connections using the Microsoft identity platform will show the remote lock screen when the remote session is locked. Users can unlock the remote session using their username and password, or certificates.
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Description-End -->
 
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Editable-Begin -->
@@ -233,7 +251,6 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-DFProperties-End -->
 
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -241,7 +258,12 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 | Name | Value |
 |:--|:--|
 | Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Disconnect remote session on lock for Microsoft identity platform authentication |
+| Location | Computer Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| Registry Value Name | fDisconnectOnLockMicrosoftIdentity |
+| ADMX File Name | TerminalServer.admx |
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-AdmxBacked-End -->
 
 <!-- DisconnectOnLockMicrosoftIdentityAuthn-Examples-Begin -->
@@ -439,7 +461,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- LimitClientToServerClipboardRedirection-Applicability-End -->
 
 <!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
@@ -453,7 +475,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
 
 <!-- LimitClientToServerClipboardRedirection-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to restrict clipboard data transfers from client to server.
+
+- If you enable this policy setting, you must choose from the following behaviors:
+
+- Disable clipboard transfers from client to server.
+
+- Allow plain text copying from client to server.
+
+- Allow plain text and images copying from client to server.
+
+- Allow plain text, images and Rich Text Format copying from client to server.
+
+- Allow plain text, images, Rich Text Format and HTML copying from client to server.
+
+- If you disable or don't configure this policy setting, users can copy arbitrary contents from client to server if clipboard redirection is enabled.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
 <!-- LimitClientToServerClipboardRedirection-Description-End -->
 
 <!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
@@ -470,7 +510,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
 
 <!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -478,7 +517,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 | Name | Value |
 |:--|:--|
 | Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Restrict clipboard transfer from client to server |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
 <!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
 
 <!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
@@ -493,7 +536,7 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows Insider Preview |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.2523] and later <br> ✅ [10.0.25398.946] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.3014] and later <br> ✅ Windows 11, version 22H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22621.3672] and later <br> ✅ Windows 11, version 23H2 with [KB5037853](https://support.microsoft.com/help/5037853) [10.0.22631.3672] and later <br> ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- LimitServerToClientClipboardRedirection-Applicability-End -->
 
 <!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
@@ -507,7 +550,25 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
 
 <!-- LimitServerToClientClipboardRedirection-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to restrict clipboard data transfers from server to client.
+
+- If you enable this policy setting, you must choose from the following behaviors:
+
+- Disable clipboard transfers from server to client.
+
+- Allow plain text copying from server to client.
+
+- Allow plain text and images copying from server to client.
+
+- Allow plain text, images and Rich Text Format copying from server to client.
+
+- Allow plain text, images, Rich Text Format and HTML copying from server to client.
+
+- If you disable or don't configure this policy setting, users can copy arbitrary contents from server to client if clipboard redirection is enabled.
+
+> [!NOTE]
+> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the stricter restriction will be used.
 <!-- LimitServerToClientClipboardRedirection-Description-End -->
 
 <!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
@@ -524,7 +585,6 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
 
 <!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -532,7 +592,11 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 | Name | Value |
 |:--|:--|
 | Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
-| ADMX File Name | terminalserver.admx |
+| Friendly Name | Restrict clipboard transfer from server to client |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
+| ADMX File Name | TerminalServer.admx |
 <!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
 
 <!-- LimitServerToClientClipboardRedirection-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 005ef18357..fc7b78d250 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,7 +1,7 @@
 ---
 title: Search Policy CSP
 description: Learn more about the Search Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 08/06/2024
 <!-- Search-Begin -->
 # Policy CSP - Search
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Search-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Search-Editable-End -->
@@ -648,7 +646,7 @@ The most restrictive value is `0` to now allow automatic language detection.
 <!-- ConfigureSearchOnTaskbarMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureSearchOnTaskbarMode-Applicability-End -->
 
 <!-- ConfigureSearchOnTaskbarMode-OmaUri-Begin -->
@@ -930,13 +928,13 @@ This policy setting configures whether or not locations on removable drives can
 
 <!-- DoNotUseWebResults-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
+This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search.
 
-- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
+- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search.
 
-- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
+- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.
 
-- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search, and if search highlights are shown in the search box and in search home.
+- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search.
 <!-- DoNotUseWebResults-Description-End -->
 
 <!-- DoNotUseWebResults-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
index 39e032a8b4..e8025d4898 100644
--- a/windows/client-management/mdm/policy-csp-settingssync.md
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -1,7 +1,7 @@
 ---
 title: SettingsSync Policy CSP
 description: Learn more about the SettingsSync Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -11,8 +11,6 @@ ms.date: 01/18/2024
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- SettingsSync-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SettingsSync-Editable-End -->
@@ -23,7 +21,7 @@ ms.date: 01/18/2024
 <!-- DisableAccessibilitySettingSync-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableAccessibilitySettingSync-Applicability-End -->
 
 <!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
@@ -84,7 +82,7 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
 <!-- DisableLanguageSettingSync-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableLanguageSettingSync-Applicability-End -->
 
 <!-- DisableLanguageSettingSync-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 6e99e05ccb..166eacb4b4 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 title: SmartScreen Policy CSP
 description: Learn more about the SmartScreen Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -29,20 +29,11 @@ ms.date: 01/31/2024
 <!-- EnableAppInstallControl-OmaUri-End -->
 
 <!-- EnableAppInstallControl-Description-Begin -->
-<!-- Description-Source-ADMX -->
-App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
+<!-- Description-Source-DDF-Forced -->
+Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
 
-- If you enable this setting, you must choose from the following behaviors:
-
-- Turn off app recommendations.
-
-- Show me app recommendations.
-
-- Warn me before installing apps from outside the Store.
-
-- Allow apps from Store only.
-
-- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
+> [!NOTE]
+> This policy will block installation only while the device is online. To block offline installation too, SmartScreen/PreventOverrideForFilesInShell and SmartScreen/EnableSmartScreenInShell policies should also be enabled. This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
 <!-- EnableAppInstallControl-Description-End -->
 
 <!-- EnableAppInstallControl-Editable-Begin -->
@@ -110,23 +101,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
 <!-- EnableSmartScreenInShell-OmaUri-End -->
 
 <!-- EnableSmartScreenInShell-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
-
-Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
-
-- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
-
-- Warn and prevent bypass
-- Warn.
-
-- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
-
-- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
-
-- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
-
-- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
+<!-- Description-Source-DDF-Forced -->
+Allows IT Admins to configure SmartScreen for Windows.
 <!-- EnableSmartScreenInShell-Description-End -->
 
 <!-- EnableSmartScreenInShell-Editable-Begin -->
@@ -188,23 +164,8 @@ Some information is sent to Microsoft about files and programs run on PCs with t
 <!-- PreventOverrideForFilesInShell-OmaUri-End -->
 
 <!-- PreventOverrideForFilesInShell-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that don't appear to be suspicious.
-
-Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
-
-- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
-
-- Warn and prevent bypass
-- Warn.
-
-- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
-
-- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen won't warn the user again for that app if the user tells SmartScreen to run the app.
-
-- If you disable this policy, SmartScreen will be turned off for all users. Users won't be warned if they try to run suspicious apps from the Internet.
-
-- If you don't configure this policy, SmartScreen will be enabled by default, but users may change their settings.
+<!-- Description-Source-DDF-Forced -->
+Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
 <!-- PreventOverrideForFilesInShell-Description-End -->
 
 <!-- PreventOverrideForFilesInShell-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-speakforme.md b/windows/client-management/mdm/policy-csp-speakforme.md
new file mode 100644
index 0000000000..b1be7a5fa4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-speakforme.md
@@ -0,0 +1,79 @@
+---
+title: SpeakForMe Policy CSP
+description: Learn more about the SpeakForMe Area in Policy CSP.
+ms.date: 09/27/2024
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- SpeakForMe-Begin -->
+# Policy CSP - SpeakForMe
+
+<!-- SpeakForMe-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SpeakForMe-Editable-End -->
+
+<!-- EnableSpeakForMe-Begin -->
+## EnableSpeakForMe
+
+<!-- EnableSpeakForMe-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- EnableSpeakForMe-Applicability-End -->
+
+<!-- EnableSpeakForMe-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/SpeakForMe/EnableSpeakForMe
+```
+<!-- EnableSpeakForMe-OmaUri-End -->
+
+<!-- EnableSpeakForMe-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy setting controls whether to allow the creation of personal voices with SpeakForMe Accessibility Windows Application.
+
+- If you enable this policy setting, then user can create their personal voice models.
+
+- If you disable this policy setting, then user can't create their personal voice models with SpeakForMe.
+
+- If you don't configure this policy setting (default), then users can launch the training flow and create their personal voice model through SpeakForMe.
+<!-- EnableSpeakForMe-Description-End -->
+
+<!-- EnableSpeakForMe-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableSpeakForMe-Editable-End -->
+
+<!-- EnableSpeakForMe-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- EnableSpeakForMe-DFProperties-End -->
+
+<!-- EnableSpeakForMe-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- EnableSpeakForMe-AllowedValues-End -->
+
+<!-- EnableSpeakForMe-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableSpeakForMe-Examples-End -->
+
+<!-- EnableSpeakForMe-End -->
+
+<!-- SpeakForMe-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- SpeakForMe-CspMoreInfo-End -->
+
+<!-- SpeakForMe-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md
index 09a4e3c938..dbcd21af22 100644
--- a/windows/client-management/mdm/policy-csp-sudo.md
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@@ -1,7 +1,7 @@
 ---
 title: Sudo Policy CSP
 description: Learn more about the Sudo Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 04/10/2024
 <!-- Sudo-Begin -->
 # Policy CSP - Sudo
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Sudo-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Sudo-Editable-End -->
@@ -21,7 +19,7 @@ ms.date: 04/10/2024
 <!-- EnableSudo-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableSudo-Applicability-End -->
 
 <!-- EnableSudo-OmaUri-Begin -->
@@ -31,7 +29,20 @@ ms.date: 04/10/2024
 <!-- EnableSudo-OmaUri-End -->
 
 <!-- EnableSudo-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting controls use of the sudo.exe command line tool.
+
+- If you enable this policy setting, then you may set a maximum allowed mode to run sudo in. This restricts the ways in which users may interact with command-line applications run with sudo. You may pick one of the following modes to allow sudo to run in:
+
+"Disabled": sudo is entirely disabled on this machine. When the user tries to run sudo, sudo will print an error message and exit.
+
+"Force new window": When sudo launches a command line application, it will launch that app in a new console window.
+
+"Disable input": When sudo launches a command line application, it will launch the app in the current console window, but the user won't be able to type input to the command line app. The user may also choose to run sudo in "Force new window" mode.
+
+"Normal": When sudo launches a command line application, it will launch the app in the current console window. The user may also choose to run sudo in "Force new window" or "Disable input" mode.
+
+- If you disable this policy or don't configure it, the user will be able to run sudo.exe normally (after enabling the setting in the Settings app).
 <!-- EnableSudo-Description-End -->
 
 <!-- EnableSudo-Editable-Begin -->
@@ -65,7 +76,11 @@ ms.date: 04/10/2024
 | Name | Value |
 |:--|:--|
 | Name | EnableSudo |
-| Path | Sudo > AT > System |
+| Friendly Name | Configure the behavior of the sudo command |
+| Location | Computer Configuration |
+| Path | System |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Sudo |
+| ADMX File Name | Sudo.admx |
 <!-- EnableSudo-GpMapping-End -->
 
 <!-- EnableSudo-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 57739476b7..1f4fbbaa1e 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1,7 +1,7 @@
 ---
 title: System Policy CSP
 description: Learn more about the System Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -11,8 +11,6 @@ ms.date: 08/06/2024
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- System-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- System-Editable-End -->
@@ -431,7 +429,7 @@ This policy setting determines whether Windows is allowed to download fonts and
 
 - If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
 
-- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts.
+- If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally-installed fonts.
 
 - If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
 <!-- AllowFontProviders-Description-End -->
@@ -569,7 +567,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
 This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
-When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
 This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
 <!-- AllowMicrosoftManagedDesktopProcessing-Description-End -->
 
@@ -888,7 +886,7 @@ To enable this behavior:
 
 When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
 
-If you disable or don't configure this policy setting, devices enrolled to Windows Autopatch won't be able to take advantage of some deployment service features.
+If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
 <!-- AllowWUfBCloudProcessing-Description-End -->
 
 <!-- AllowWUfBCloudProcessing-Editable-Begin -->
@@ -1471,7 +1469,7 @@ This policy setting lets you prevent apps and features from working with files o
 
 * Users can't access OneDrive from the OneDrive app and file picker.
 
-* Windows Store apps can't access OneDrive using the WinRT API.
+* Packaged Microsoft Store apps can't access OneDrive using the WinRT API.
 
 * OneDrive doesn't appear in the navigation pane in File Explorer.
 
@@ -1739,7 +1737,7 @@ This policy setting controls whether Windows records attempts to connect with th
 
 <!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-Begin -->
 <!-- Description-Source-DDF -->
-Diagnostic files created when feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
+Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.
 <!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Description-End -->
 
 <!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Editable-Begin -->
@@ -1761,8 +1759,8 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
 
 | Value | Description |
 |:--|:--|
-| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. |
-| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. |
+| 0 (Default) | False. The Feedback Hub won't always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. |
+| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. |
 <!-- FeedbackHubAlwaysSaveDiagnosticsLocally-AllowedValues-End -->
 
 <!-- FeedbackHubAlwaysSaveDiagnosticsLocally-Examples-Begin -->
@@ -1777,7 +1775,7 @@ Diagnostic files created when feedback is filed in the Feedback Hub app will alw
 <!-- HideUnsupportedHardwareNotifications-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- HideUnsupportedHardwareNotifications-Applicability-End -->
 
 <!-- HideUnsupportedHardwareNotifications-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 2d9c9595f5..10d548c65f 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,7 +1,7 @@
 ---
 title: SystemServices Policy CSP
 description: Learn more about the SystemServices Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 04/10/2024
 <!-- SystemServices-Begin -->
 # Policy CSP - SystemServices
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- SystemServices-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SystemServices-Editable-End -->
@@ -21,7 +19,7 @@ ms.date: 04/10/2024
 <!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
@@ -171,7 +169,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
@@ -221,7 +219,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
@@ -271,7 +269,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
@@ -321,7 +319,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
@@ -371,7 +369,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
@@ -421,7 +419,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
@@ -471,7 +469,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
@@ -521,7 +519,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
 
 <!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
@@ -571,7 +569,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
@@ -621,7 +619,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
@@ -671,7 +669,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
@@ -721,7 +719,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
@@ -771,7 +769,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
@@ -821,7 +819,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
@@ -871,7 +869,7 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
 
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index 484f4c88ad..536b1b741f 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -1,7 +1,7 @@
 ---
 title: TenantRestrictions Policy CSP
 description: Learn more about the TenantRestrictions Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -41,9 +41,9 @@ When you enable this setting, compliant applications will be prevented from acce
 
 <https://go.microsoft.com/fwlink/?linkid=2148762>
 
-Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
+Before enabling firewall protection, ensure that an App Control for Business policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding App Control for Business policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information.
 
-For details about setting up WDAC with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
+For details about setting up App Control with tenant restrictions, see <https://go.microsoft.com/fwlink/?linkid=2155230>
 <!-- ConfigureTenantRestrictions-Description-End -->
 
 <!-- ConfigureTenantRestrictions-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9ecb6a207c..a77f87712f 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,7 @@
 ---
 title: Update Policy CSP
 description: Learn more about the Update Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,18 +9,12 @@ ms.date: 09/11/2024
 <!-- Update-Begin -->
 # Policy CSP - Update
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- Update-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Update-Editable-End -->
 
 Update CSP policies are listed below based on the group policy area:
 
-- [Windows Insider Preview](#windows-insider-preview)
-  - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
-  - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
-  - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
 - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
   - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
   - [AllowOptionalContent](#allowoptionalcontent)
@@ -61,7 +55,8 @@ Update CSP policies are listed below based on the group policy area:
   - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates)
   - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod)
   - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates)
-  - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot)
+  - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
+  - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
   - [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod)
   - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours)
   - [ScheduledInstallDay](#scheduledinstallday)
@@ -76,6 +71,7 @@ Update CSP policies are listed below based on the group policy area:
   - [SetEDURestart](#setedurestart)
   - [UpdateNotificationLevel](#updatenotificationlevel)
 - [Legacy Policies](#legacy-policies)
+  - [AlwaysAutoRebootAtScheduledTimeMinutes](#alwaysautorebootatscheduledtimeminutes)
   - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays)
   - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates)
   - [AutoRestartNotificationSchedule](#autorestartnotificationschedule)
@@ -99,188 +95,6 @@ Update CSP policies are listed below based on the group policy area:
   - [ScheduleRestartWarning](#schedulerestartwarning)
   - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable)
 
-## Windows Insider Preview
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
-### AlwaysAutoRebootAtScheduledTimeMinutes
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
-```
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
-<!-- Description-Source-ADMX -->
-
-- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
-
-The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
-
-- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
-
-If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[15-180]` |
-| Default Value  | 15 |
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AlwaysAutoRebootAtScheduledTime |
-| Friendly Name | Always automatically restart at the scheduled time |
-| Element Name | work (minutes) |
-| Location | Computer Configuration |
-| Path | Windows Components > Windows Update > Manage end user experience |
-| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
-| ADMX File Name | WindowsUpdate.admx |
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
-
-<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
-### ConfigureDeadlineNoAutoRebootForFeatureUpdates
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
-```
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
-<!-- Description-Source-DDF -->
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates |
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
-### ConfigureDeadlineNoAutoRebootForQualityUpdates
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
-```
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
-<!-- Description-Source-DDF -->
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Disabled. |
-| 1 | Enabled. |
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates |
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
-
-<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
-
 ## Manage updates offered from Windows Update
 
 <!-- AllowNonMicrosoftSignedUpdate-Begin -->
@@ -2518,8 +2332,8 @@ Number of days before feature updates are installed on devices automatically reg
 
 | Name | Value |
 |:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
 | Element Name | Deadline (days) |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -2578,7 +2392,7 @@ Number of days before quality updates are installed on devices automatically reg
 | Name | Value |
 |:--|:--|
 | Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
 | Element Name | Deadline (days) |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -2633,7 +2447,7 @@ Minimum number of days from update installation until restarts occur automatical
 | Name | Value |
 |:--|:--|
 | Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
 | Element Name | Grace period (days) |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -2687,8 +2501,8 @@ Minimum number of days from update installation until restarts occur automatical
 
 | Name | Value |
 |:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
 | Element Name | Grace Period (days) |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -2702,31 +2516,47 @@ Minimum number of days from update installation until restarts occur automatical
 
 <!-- ConfigureDeadlineGracePeriodForFeatureUpdates-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-Begin -->
-### ConfigureDeadlineNoAutoReboot
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
+### ConfigureDeadlineNoAutoRebootForFeatureUpdates
 
-<!-- ConfigureDeadlineNoAutoReboot-Applicability-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
-<!-- ConfigureDeadlineNoAutoReboot-Applicability-End -->
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-OmaUri-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
 ```Device
-./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot
+./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates
 ```
-<!-- ConfigureDeadlineNoAutoReboot-OmaUri-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-Description-Begin -->
-<!-- Description-Source-DDF-Forced -->
-When enabled, devices won't automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
-<!-- ConfigureDeadlineNoAutoReboot-Description-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy lets you specify the number of days before feature updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
 
-<!-- ConfigureDeadlineNoAutoReboot-Editable-Begin -->
+Set deadlines for feature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+
+Set a grace period for feature updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
+
+You can set the device to delay restarting until both the deadline and grace period have expired.
+
+If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
+
+This policy will override the following policies:
+
+1. Specify deadline before auto restart for update installation
+1. Specify Engaged restart transition and notification schedule for updates.
+
+1. Always automatically restart at the scheduled time
+1. Configure Automatic Updates.
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoReboot-Editable-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Editable-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-DFProperties-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-Begin -->
 **Description framework properties**:
 
 | Property name | Property value |
@@ -2734,36 +2564,115 @@ When enabled, devices won't automatically restart outside of active hours until
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-<!-- ConfigureDeadlineNoAutoReboot-DFProperties-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-DFProperties-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-Begin -->
 **Allowed values**:
 
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled. |
 | 1 | Enabled. |
-<!-- ConfigureDeadlineNoAutoReboot-AllowedValues-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-AllowedValues-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-GpMapping-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-Begin -->
 **Group policy mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | ComplianceDeadline |
-| Friendly Name | Specify deadlines for automatic updates and restarts |
+| Name | ComplianceDeadlineForFU |
+| Friendly Name | Specify deadline for automatic updates and restarts for feature update |
 | Element Name | Don't auto-restart until end of grace period. |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
 | Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
 | ADMX File Name | WindowsUpdate.admx |
-<!-- ConfigureDeadlineNoAutoReboot-GpMapping-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-GpMapping-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-Examples-Begin -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- ConfigureDeadlineNoAutoReboot-Examples-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Examples-End -->
 
-<!-- ConfigureDeadlineNoAutoReboot-End -->
+<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Begin -->
+### ConfigureDeadlineNoAutoRebootForQualityUpdates
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates
+```
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy lets you specify the number of days before quality updates are installed on devices automatically, and a grace period after which required restarts occur automatically.
+
+Set deadlines for quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they're offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed, restarts will occur regardless of active hours, and users won't be able to reschedule. If the deadline is set to 0 days, the update will be installed immediately upon offering, but might not finish within the day due to device availability and network connectivity.
+
+Set a grace period for quality updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days set as grace period to manage their restart, based on deadline configurations.
+
+You can set the device to delay restarting until both the deadline and grace period have expired.
+
+If you disable or don't configure this policy, devices will get updates and will restart according to the default schedule.
+
+This policy will override the following policies:
+
+1. Specify deadline before auto restart for update installation
+1. Specify Engaged restart transition and notification schedule for updates.
+
+1. Always automatically restart at the scheduled time
+1. Configure Automatic Updates.
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Editable-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-DFProperties-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-AllowedValues-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ComplianceDeadline |
+| Friendly Name | Specify deadline for automatic updates and restarts for quality update |
+| Element Name | Don't auto-restart until end of grace period. |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| ADMX File Name | WindowsUpdate.admx |
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-GpMapping-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Examples-End -->
+
+<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-End -->
 
 <!-- ConfigureFeatureUpdateUninstallPeriod-Begin -->
 ### ConfigureFeatureUpdateUninstallPeriod
@@ -3647,6 +3556,68 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
 
 ## Legacy Policies
 
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Begin -->
+### AlwaysAutoRebootAtScheduledTimeMinutes
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Applicability-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AlwaysAutoRebootAtScheduledTimeMinutes
+```
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-OmaUri-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-Begin -->
+<!-- Description-Source-ADMX -->
+
+- If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
+
+The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
+
+- If you disable or don't configure this policy, Windows Update won't alter its restart behavior.
+
+If the "No auto-restart with logged-on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Description-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Editable-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[15-180]` |
+| Default Value  | 15 |
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-DFProperties-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysAutoRebootAtScheduledTime |
+| Friendly Name | Always automatically restart at the scheduled time |
+| Element Name | work (minutes) |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Legacy Policies |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
+| ADMX File Name | WindowsUpdate.admx |
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-GpMapping-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-Examples-End -->
+
+<!-- AlwaysAutoRebootAtScheduledTimeMinutes-End -->
+
 <!-- AutoRestartDeadlinePeriodInDays-Begin -->
 ### AutoRestartDeadlinePeriodInDays
 
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index dc226ea336..68db80419e 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,7 +1,7 @@
 ---
 title: UserRights Policy CSP
 description: Learn more about the UserRights Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
 <!-- UserRights-Begin -->
 # Policy CSP - UserRights
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- UserRights-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@@ -258,7 +256,7 @@ This user right allows a process to impersonate any user without authentication.
 <!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AdjustMemoryQuotasForProcess-Applicability-End -->
 
 <!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
@@ -359,7 +357,7 @@ This user right determines which users can log on to the computer.
 <!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
 
 <!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
@@ -460,7 +458,7 @@ This user right determines which users can bypass file, directory, registry, and
 <!-- BypassTraverseChecking-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- BypassTraverseChecking-Applicability-End -->
 
 <!-- BypassTraverseChecking-OmaUri-Begin -->
@@ -567,7 +565,7 @@ This user right determines which users and groups can change the time and date o
 <!-- ChangeTimeZone-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ChangeTimeZone-Applicability-End -->
 
 <!-- ChangeTimeZone-OmaUri-Begin -->
@@ -1027,7 +1025,7 @@ This security setting determines which service accounts are prevented from regis
 <!-- DenyLogOnAsBatchJob-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DenyLogOnAsBatchJob-Applicability-End -->
 
 <!-- DenyLogOnAsBatchJob-OmaUri-Begin -->
@@ -1076,7 +1074,7 @@ This security setting determines which accounts are prevented from being able to
 <!-- DenyLogOnAsService-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DenyLogOnAsService-Applicability-End -->
 
 <!-- DenyLogOnAsService-OmaUri-Begin -->
@@ -1336,7 +1334,7 @@ Assigning this user right to a user allows programs running on behalf of that us
 <!-- IncreaseProcessWorkingSet-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- IncreaseProcessWorkingSet-Applicability-End -->
 
 <!-- IncreaseProcessWorkingSet-OmaUri-Begin -->
@@ -1543,7 +1541,7 @@ This user right determines which accounts can use a process to keep data in phys
 <!-- LogOnAsBatchJob-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- LogOnAsBatchJob-Applicability-End -->
 
 <!-- LogOnAsBatchJob-OmaUri-Begin -->
@@ -1592,7 +1590,7 @@ This security setting allows a user to be logged-on by means of a batch-queue fa
 <!-- LogOnAsService-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- LogOnAsService-Applicability-End -->
 
 <!-- LogOnAsService-OmaUri-Begin -->
@@ -1889,7 +1887,7 @@ This user right determines which users can use performance monitoring tools to m
 <!-- ProfileSystemPerformance-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ProfileSystemPerformance-Applicability-End -->
 
 <!-- ProfileSystemPerformance-OmaUri-Begin -->
@@ -1987,7 +1985,7 @@ This user right determines which users are allowed to shut down a computer from
 <!-- ReplaceProcessLevelToken-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ReplaceProcessLevelToken-Applicability-End -->
 
 <!-- ReplaceProcessLevelToken-OmaUri-Begin -->
@@ -2088,7 +2086,7 @@ This user right determines which users can bypass file, directory, registry, and
 <!-- ShutDownTheSystem-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- ShutDownTheSystem-Applicability-End -->
 
 <!-- ShutDownTheSystem-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 0b01461d1e..96d9296b8a 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -1,7 +1,7 @@
 ---
 title: WebThreatDefense Policy CSP
 description: Learn more about the WebThreatDefense Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/31/2024
 <!-- WebThreatDefense-Begin -->
 # Policy CSP - WebThreatDefense
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- WebThreatDefense-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
@@ -23,7 +21,7 @@ ms.date: 01/31/2024
 <!-- AutomaticDataCollection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AutomaticDataCollection-Applicability-End -->
 
 <!-- AutomaticDataCollection-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 1d1a1691af..642e2df000 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsAI Policy CSP
 description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -21,7 +21,7 @@ ms.date: 09/11/2024
 <!-- DisableAIDataAnalysis-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableAIDataAnalysis-Applicability-End -->
 
 <!-- DisableAIDataAnalysis-OmaUri-Begin -->
@@ -31,14 +31,12 @@ ms.date: 09/11/2024
 <!-- DisableAIDataAnalysis-OmaUri-End -->
 
 <!-- DisableAIDataAnalysis-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting allows you to determine whether end users have the option to allow snapshots to be saved on their PCs.
+<!-- Description-Source-ADMX -->
+This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
 
-- If disabled, end users will have a choice to save snapshots of their screen on their PC and then use Recall to find things they've seen.
+- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
 
-- If the policy is enabled, end users won't be able to save snapshots on their PC.
-
-- If the policy isn't configured, end users may or may not be able to save snapshots on their PC-depending on other policy configurations.
+- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
 <!-- DisableAIDataAnalysis-Description-End -->
 
 <!-- DisableAIDataAnalysis-Editable-Begin -->
@@ -70,7 +68,12 @@ This policy setting allows you to determine whether end users have the option to
 | Name | Value |
 |:--|:--|
 | Name | DisableAIDataAnalysis |
-| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
+| Friendly Name | Turn off Saving Snapshots for Windows |
+| Location | User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | DisableAIDataAnalysis |
+| ADMX File Name | WindowsCopilot.admx |
 <!-- DisableAIDataAnalysis-GpMapping-End -->
 
 <!-- DisableAIDataAnalysis-Examples-Begin -->
@@ -203,6 +206,58 @@ This policy setting allows you to control whether Image Creator functionality is
 
 <!-- DisableImageCreator-End -->
 
+<!-- SetCopilotHardwareKey-Begin -->
+## SetCopilotHardwareKey
+
+<!-- SetCopilotHardwareKey-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetCopilotHardwareKey-Applicability-End -->
+
+<!-- SetCopilotHardwareKey-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
+```
+<!-- SetCopilotHardwareKey-OmaUri-End -->
+
+<!-- SetCopilotHardwareKey-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
+
+- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
+
+- If the policy isn't configured, Copilot will open if it's available in that country or region.
+<!-- SetCopilotHardwareKey-Description-End -->
+
+<!-- SetCopilotHardwareKey-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetCopilotHardwareKey-Editable-End -->
+
+<!-- SetCopilotHardwareKey-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- SetCopilotHardwareKey-DFProperties-End -->
+
+<!-- SetCopilotHardwareKey-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetCopilotHardwareKey |
+| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
+<!-- SetCopilotHardwareKey-GpMapping-End -->
+
+<!-- SetCopilotHardwareKey-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetCopilotHardwareKey-Examples-End -->
+
+<!-- SetCopilotHardwareKey-End -->
+
 <!-- TurnOffWindowsCopilot-Begin -->
 ## TurnOffWindowsCopilot
 
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index d9c4d40da1..c7a7fe256c 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsLogon Policy CSP
 description: Learn more about the WindowsLogon Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -380,11 +380,11 @@ This policy setting allows you to control whether users see the first sign-in an
 
 <!-- EnableMPRNotifications-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls the configuration under which winlogon sends MPR notifications in the system.
+This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
 
-- If you enable this setting or don't configure it, winlogon sends MPR notifications if a credential manager is configured.
+- If you disable this setting or don't configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
 
-- If you disable this setting, winlogon doesn't send MPR notifications.
+- If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
 <!-- EnableMPRNotifications-Description-End -->
 
 <!-- EnableMPRNotifications-Editable-Begin -->
@@ -415,7 +415,7 @@ This policy controls the configuration under which winlogon sends MPR notificati
 | Name | Value |
 |:--|:--|
 | Name | EnableMPRNotifications |
-| Friendly Name | Enable MPR notifications for the system |
+| Friendly Name | Configure the transmission of the user's password in the content of MPR notifications sent by winlogon. |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Logon Options |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index ffa94e847a..a22172669f 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsSandbox Policy CSP
 description: Learn more about the WindowsSandbox Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 09/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,8 +9,6 @@ ms.date: 01/18/2024
 <!-- WindowsSandbox-Begin -->
 # Policy CSP - WindowsSandbox
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- WindowsSandbox-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsSandbox-Editable-End -->
@@ -149,7 +147,7 @@ This policy setting enables or disables clipboard sharing with the sandbox.
 <!-- AllowMappedFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllowMappedFolders-Applicability-End -->
 
 <!-- AllowMappedFolders-OmaUri-Begin -->
@@ -159,8 +157,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
 <!-- AllowMappedFolders-OmaUri-End -->
 
 <!-- AllowMappedFolders-Description-Begin -->
-<!-- Description-Source-DDF -->
-Allow mapping folders into Windows Sandbox.
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables mapping folders into sandbox.
+
+- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
+
+- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
+
+- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
+
+- If you don't configure this policy setting, mapped folders will be enabled.
+
+Note that there may be security implications of exposing folders from the host into the container.
 <!-- AllowMappedFolders-Description-End -->
 
 <!-- AllowMappedFolders-Editable-Begin -->
@@ -184,7 +192,12 @@ Allow mapping folders into Windows Sandbox.
 | Name | Value |
 |:--|:--|
 | Name | AllowMappedFolders |
-| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+| Friendly Name | Allow mapping folders into Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowMappedFolders |
+| ADMX File Name | WindowsSandbox.admx |
 <!-- AllowMappedFolders-GpMapping-End -->
 
 <!-- AllowMappedFolders-Examples-Begin -->
@@ -457,7 +470,7 @@ Note that there may be security implications of exposing host video input to the
 <!-- AllowWriteToMappedFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- AllowWriteToMappedFolders-Applicability-End -->
 
 <!-- AllowWriteToMappedFolders-OmaUri-Begin -->
@@ -467,8 +480,18 @@ Note that there may be security implications of exposing host video input to the
 <!-- AllowWriteToMappedFolders-OmaUri-End -->
 
 <!-- AllowWriteToMappedFolders-Description-Begin -->
-<!-- Description-Source-DDF -->
-Allow Sandbox to write to mapped folders.
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables mapping folders into sandbox.
+
+- If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
+
+- If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
+
+- If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
+
+- If you don't configure this policy setting, mapped folders will be enabled.
+
+Note that there may be security implications of exposing folders from the host into the container.
 <!-- AllowWriteToMappedFolders-Description-End -->
 
 <!-- AllowWriteToMappedFolders-Editable-Begin -->
@@ -492,8 +515,13 @@ Allow Sandbox to write to mapped folders.
 
 | Name | Value |
 |:--|:--|
-| Name | AllowWriteToMappedFolders |
-| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+| Name | AllowMappedFolders |
+| Friendly Name | Allow mapping folders into Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowMappedFolders |
+| ADMX File Name | WindowsSandbox.admx |
 <!-- AllowWriteToMappedFolders-GpMapping-End -->
 
 <!-- AllowWriteToMappedFolders-Examples-Begin -->
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index eba37a1745..3011ad91da 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -48,12 +48,12 @@ items:
     - name: Protocol
       expanded: true
       items:
-        - name: Overview
-          href: ../declared-configuration.md
-        - name: Discovery
-          href: ../declared-configuration-discovery.md
-        - name: Enrollment
-          href: ../declared-configuration-enrollment.md
+      - name: Overview
+        href: ../declared-configuration.md
+      - name: Discovery
+        href: ../declared-configuration-discovery.md
+      - name: Enrollment
+        href: ../declared-configuration-enrollment.md
     - name: Extensibility
       href: ../declared-configuration-extensibility.md
     - name: Resource access
@@ -387,7 +387,7 @@ items:
           href: policy-csp-authentication.md
         - name: Autoplay
           href: policy-csp-autoplay.md
-        - name: BitLocker
+        - name: Bitlocker
           href: policy-csp-bitlocker.md
         - name: BITS
           href: policy-csp-bits.md
@@ -537,6 +537,8 @@ items:
           href: policy-csp-settingssync.md
         - name: SmartScreen
           href: policy-csp-smartscreen.md
+        - name: SpeakForMe
+          href: policy-csp-speakforme.md
         - name: Speech
           href: policy-csp-speech.md
         - name: Start
diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md
index f7cbe59725..b29c96b947 100644
--- a/windows/configuration/taskbar/pinned-apps.md
+++ b/windows/configuration/taskbar/pinned-apps.md
@@ -50,9 +50,11 @@ The following steps describe how to configure the taskbar pinned applications us
 1. Edit the XML file to meet your requirements and save it
 1. Deploy the XML file to devices using configuration service provider (CSP), provisioning packages (PPKG), or group policy (GPO)
 
->[!IMPORTANT]
->If you use a provisioning package or `import-startlayout` to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
+> [!IMPORTANT]
+> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
 
+> [!CAUTION]
+> The use of the `Import-StartLayout` PowerShell cmdlet to provision the Taskbar layout is no longer supported in Windows 11. The only supported configuration in Windows 11 is to use a provisioning package.
 ::: zone pivot="windows-10"
 
 >[!NOTE]
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a0a59d054a..c2b584ffa3 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
 ---
 title: Register your devices
 description: This article details how to register devices in Autopatch.
-ms.date: 09/16/2024
+ms.date: 09/26/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -66,7 +66,7 @@ Once a device is registered to the service, a readiness status is displayed. Eac
 
 #### Readiness statuses
 
-| Autopatch readiness status in the Devices report | Sub-status description |
+| Autopatch readiness status in the Devices report | Substatus description |
 | --- | --- |
 | Registered |<ul><li>**Ready**: Devices successfully passed all prerequisite checks and successfully registered with Windows Autopatch. Additionally, Ready devices successfully passed all [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) and don't have any active alerts targeting them.</li><li>**Not ready**: These devices were successfully registered with Windows Autopatch. However, these devices:</li><ul><li>Failed to pass one or more [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</li><li>Aren't ready to have one or more software update workloads managed by the service.</li><li>The device didn't communicate with Microsoft Intune in the last 28 days</li><li>The device has a conflict with policies or with Autopatch group membership</li></ul></ul> |
 | Not registered |<ul><li>**Autopatch group conflict**: The device has a conflict with Autopatch group membership</li><li>**Prerequisites failed**: The device failed to pass one or more [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</li><li>**Excluded**: Devices with this status are removed from the Windows Autopatch service only. Microsoft assumes you manage these devices yourself in some capacity.</li></ul> |
@@ -82,7 +82,7 @@ You can view the excluded devices in the Not registered tab to make it easier fo
 
 ## Move devices in between deployment rings
 
-If you want to move devices to different deployment rings after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Devices report**.
+If you want to move devices to different deployment rings after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices.
 
 > [!IMPORTANT]
 > **You can only move devices in between deployment rings within the same Autopatch group**. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: **An error occurred. Please select devices within the same Autopatch group**.
@@ -93,15 +93,13 @@ If you want to move devices to different deployment rings after Windows Autopatc
 > You can only move devices to other deployment rings when the device's Autopatch readiness status appears as **Registered** and the Update status is **Active**.
 
 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
-1. Under **Manage updates** section, select **Windows updates**.
-1. In the **Devices report**, select one or more devices you want to assign. All selected devices are assigned to the deployment ring you specify.
-1. Select **Device actions** from the menu.
-1. Select **Assign ring**. A fly-in opens.
-1. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The Ring assigned by column changes to **Pending**.
-1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment.
+1. Navigate to **Windows updates** > **Monitor** > **Autopatch devices**.
+1. Select one or more devices you want to assign and select **Assign ring**.
+1. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. All selected devices are assigned to the deployment ring you specify. The "1 devices scheduled for assignment" notification appears.
+1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. The **Ring assigned by** column is only visible in the fly-in menu.
 
 > [!WARNING]
-> Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and might cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+> Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and might cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign ring** action described previously to move devices between deployment rings.
 
 ## Register devices into Autopatch groups
 
@@ -211,7 +209,7 @@ The device is rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-o
 
 ### Device repair and hardware replacement
 
-If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, nonremovable network interface cards (NIC) or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as:
+If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, nonremovable network interface cards (NIC), or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as:
 
 - SMBIOS UUID (motherboard)
 - MAC address (nonremovable NICs)
diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md
new file mode 100644
index 0000000000..ec3fc85cbe
--- /dev/null
+++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md
@@ -0,0 +1,28 @@
+---
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: include
+ms.date: 09/24/2024
+ms.localizationpriority: medium
+---
+<!--This file is shared by windows-autopatch-driver-and-firmware-programmatic-controls.md, windows-autopatch-windows-quality-update-programmatic-controls.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
+
+You must have access to the following endpoints:
+
+[Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update)
+
+- *.prod.do.dsp.mp.microsoft.com
+- *.windowsupdate.com
+- *.dl.delivery.mp.microsoft.com
+- *.update.microsoft.com
+- *.delivery.mp.microsoft.com
+- tsfe.trafficshaping.dsp.mp.microsoft.com
+
+Graph API endpoints:
+
+- devicelistenerprod.microsoft.com
+- login.windows.net
+- payloadprod*.blob.core.windows.net
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
index 9557d457c6..a9fcc86c26 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for drivers and firmware updates
@@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-fix-is
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopath permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
index db264d3c4f..d6c5b41cb3 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for Windows feature updates
@@ -48,6 +48,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
index 87af926fae..77acf64924 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ---
 
 # Programmatic controls for expedited Windows quality updates
@@ -44,6 +44,11 @@ All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prereq
 <!--Using include for Graph Explorer permissions-->
 [!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)]
 
+### Required endpoints
+
+<!--Using include for required Graph API endpoints-->
+[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)]
+
 ## Open Graph Explorer
 
 <!--Using include for Graph Explorer sign in-->
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 7aea64cf61..d5be989897 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -29,6 +29,9 @@ sections:
       - question: Will Windows Autopatch be available for state and local government customers?
         answer: |
           Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported.
+      - question: How do I access Windows Autopatch?
+        answer: | 
+          You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements to activate all [Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses). 
   - name: Requirements
     questions:
       - question: What are the licensing requirements for Windows Autopatch?
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 56b1ee39cf..386ec22830 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
 ---
 title: What is Windows Autopatch?
 description: Details what the service is and shortcuts to articles.
-ms.date: 09/16/2024
+ms.date: 09/27/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -17,6 +17,9 @@ ms.reviewer: hathind
 
 # What is Windows Autopatch?
 
+> [!IMPORTANT]
+> In September, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement.
+
 Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
 
 ## Unique to Windows Autopatch
@@ -38,7 +41,7 @@ Windows Autopatch helps you minimize the involvement of your scarce IT resources
 
 [!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
 
-The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, features include:
+The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
 
 | Features included with Business Premium and A3+ licenses | Description |
 | --- | --- |
@@ -48,11 +51,14 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
 | [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
 | [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
 
+> [!IMPORTANT]
+> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
+
 ### Windows Enterprise E3+ and F3 licenses
 
 [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
 
-In addition to the features included in [Business Premium and A3+ licenses](#business-premium-and-a3-licenses), if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to all of Windows Autopatch features in your tenant when you [activate Windows Autopatch](../prepare/windows-autopatch-feature-activation.md). Windows Autopatch features include:
+In addition to the features included in [Business Premium and A3+ licenses](#business-premium-and-a3-licenses), if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to all of Windows Autopatch features in your tenant. When you [activate Windows Autopatch](../prepare/windows-autopatch-feature-activation.md), you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
 
 | Features included in Windows Enterprise E3+ and F3 licenses | Description |
 | --- | --- |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 77fb2d0c6b..6666b1fe35 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -1,7 +1,7 @@
 ---
 title: Configure your network
 description: This article details the network configurations needed for Windows Autopatch
-ms.date: 09/16/2024
+ms.date: 09/24/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -33,7 +33,7 @@ There are URLs from several Microsoft products that must be in the allowed list
 | Microsoft service | URLs required on Allowlist |
 | ----- | ----- |
 | Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
-| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
+| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
 | Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |
 
 #### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints)
@@ -63,7 +63,7 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
 
 | Microsoft service | URLs required on allowlist |
 | ----- | ----- |
-| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li></ul>|
+| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>payloadprod*.blob.core.windows.net</li></ul>|
 
 ## Delivery Optimization
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 1e49a9fad7..74379f93b0 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/16/2024
+ms.date: 09/27/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: concept-article
@@ -19,6 +19,9 @@ ms.collection:
 
 ## Licenses and entitlements
 
+> [!IMPORTANT]
+> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
+
 ### [Business Premium and A3+](#tab/business-premium-a3-entitlements)
 
 Business Premium and A3+ licenses include:
@@ -41,7 +44,7 @@ For more information about specific service plans, see [Windows 10/11 Enterprise
 
 ### Feature entitlement
 
-For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
+For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Features are accessed through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 | Symbol | Meaning |
 | --- | --- |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index 8f27de3c27..f7ca1e60c8 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2024
 description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 09/16/2024
+ms.date: 09/27/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: whats-new
@@ -27,7 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
-| All articles | Windows Update for Business deployment service unified under Windows Autopatch. For more information, see [What is Windows Autopatch?](../overview/windows-autopatch-overview.md)|
+| All articles | Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) to understand licensing and feature entitlement.|
 
 ## March 2024
 
diff --git a/windows/deployment/windows-enterprise-e3-overview.md b/windows/deployment/windows-enterprise-e3-overview.md
index f4532464b5..5d58a929ec 100644
--- a/windows/deployment/windows-enterprise-e3-overview.md
+++ b/windows/deployment/windows-enterprise-e3-overview.md
@@ -66,7 +66,6 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
 |Feature|Description|
 |--- |--- |
 |Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
 |AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
 |Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).|
 |User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
@@ -106,28 +105,6 @@ For more information about implementing Credential Guard, see the following reso
 - [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
 - [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 
-### Device Guard
-
-Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
-
-1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
-
-2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
-
-3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
-
-4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
-
-5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
-
-6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
-
-7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
-
-For more information about implementing Device Guard, see:
-
-- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
-- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
 
 ### AppLocker management
 
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 71ccd2f1d9..6fa1d2a9e2 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -190,7 +190,7 @@ Required diagnostic data includes:
    - Operating system attributes, such as Windows edition and virtualization state
    - Storage attributes, such as number of drives, type, and size
 
-- Quality metrics that helps provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
+- Quality metrics that help provide an understanding about how the Connected User Experiences and diagnostic data component is functioning, including % of uploaded events, dropped events, blocked events, and the last upload time.
 
 - Quality-related information that helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and app state change details, such as how much processor time and memory were used, and the total uptime for an app.
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2a1eec8490..bfb651939e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1737,7 +1737,7 @@ In Group Policy, configure:
 
 ### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
 
-Personalized experiences provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
+Personalized experiences provide features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. Example features include Windows Spotlight and Start Suggestions. You can control them by using the Group Policy.
 
 > [!NOTE]
 > This excludes how individual experiences (e.g., Windows Spotlight) can be controlled by users in Windows Settings.
diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md
index 753c45f0c8..fb9459ba79 100644
--- a/windows/privacy/windows-privacy-compliance-guide.md
+++ b/windows/privacy/windows-privacy-compliance-guide.md
@@ -35,7 +35,7 @@ Transparency is an important part of the data collection process in Windows. Com
 
 ### 1.1 Device set up experience and support for layered transparency
 
-When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
+When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the setup experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
 
 The following table provides an overview of the Windows 10 and Windows 11 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index d7e4822aaa..553251974a 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -54,7 +54,7 @@ Follow the instructions below to configure your devices using either Microsoft I
 
 | Category | Setting name | Value |
 |--|--|--|
-| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Windows Hello For Business | true |
 | **Windows Hello for Business** | Require Security Device | true |
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
index e2e4402d37..436f28fe2d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
@@ -1,7 +1,7 @@
 ---
 title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
-ms.date: 06/23/2024
+ms.date: 09/26/2024
 ms.topic: tutorial
 ---
 
@@ -73,7 +73,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
 
 | Category | Setting name | Value |
 |--|--|--|
-| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Windows Hello For Business | true |
 | **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled |
 | **Windows Hello for Business** | Require Security Device | true |
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 136b0f615d..c547b535eb 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -83,7 +83,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you on
 
 | Category | Setting name | Value |
 |--|--|--|
-| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Windows Hello For Business | true |
 | **Windows Hello for Business** | Use Cloud Trust For On Prem Auth | Enabled |
 | **Windows Hello for Business** | Require Security Device | true |
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index de3ffd9240..c97ec8cde9 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -38,7 +38,7 @@ If the Intune tenant-wide policy is enabled and configured to your needs, you ca
 
 | Category | Setting name | Value |
 |--|--|--|
-| **Windows Hello for Business** | Use Passport For Work | true |
+| **Windows Hello for Business** | Use Windows Hello For Business | true |
 | **Windows Hello for Business** | Require Security Device | true |
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 02b20cfc2d..34c2ed5f4a 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # PDE settings and configuration
@@ -36,6 +36,21 @@ The following table lists the recommended settings to improve PDE's security.
 
 ## Configure PDE with Microsoft Intune
 
+If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+
+### Disk encryption policy
+
+To configure devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Enable Personal Data Encryption** and configure the settings as needed.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
+### Settings catalog policy
+
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
@@ -80,6 +95,17 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 
 Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
 
+### Disable PDE with a disk encryption policy
+
+To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+
+- **Platform** > **Windows**
+- **Profile** > **Personal Data Encryption**
+
+Provide a name, and select **Next**. In the **Configuration settings** page, select **Disable Personal Data Encryption**.
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
+
 ### Disable PDE with a settings catalog policy in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index cc6278f590..8aeed21090 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 05/06/2024
+  ms.date: 09/24/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index f0f3e1f99f..7e28595993 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 05/06/2024
+ms.date: 09/24/2024
 ---
 
 # Personal Data Encryption (PDE)