From ded9d2b99a009a8ff0754fc894ab7b816366d694 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 11 Oct 2021 14:45:25 +0100 Subject: [PATCH 01/46] 21H2 updates --- ...-diagnostic-data-events-and-fields-2004.md | 144 +++++++++++++++++- windows/privacy/toc.yml | 2 +- 2 files changed, 141 insertions(+), 5 deletions(-) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 535d41535f..b217232fd4 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about what required Windows diagnostic data is gathered. -title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 10/04/2021 +ms.date: --- -# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -26,10 +26,12 @@ ms.date: 10/04/2021 **Applies to** +- Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 + Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -63,6 +65,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -76,6 +80,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -91,6 +97,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -106,6 +114,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -119,6 +129,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -132,6 +144,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -145,6 +159,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -160,6 +176,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -173,6 +191,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -188,6 +208,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -203,6 +225,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -216,6 +240,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -229,6 +255,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -242,6 +270,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -254,6 +284,8 @@ The following fields are available: - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -267,6 +299,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -281,6 +315,8 @@ The following fields are available: - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -293,6 +329,8 @@ The following fields are available: - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -305,6 +343,8 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -317,6 +357,7 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -329,6 +370,8 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -341,6 +384,8 @@ The following fields are available: - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -353,6 +398,8 @@ The following fields are available: - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -365,6 +412,8 @@ The following fields are available: - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -395,6 +444,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -2446,6 +2497,7 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2978,6 +3030,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4375,7 +4428,7 @@ The following fields are available: - **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4665,6 +4718,38 @@ The following fields are available: - **Ver** Schema version. +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + ### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. @@ -4767,6 +4852,28 @@ The following fields are available: - **SamResetCause** SAM reset cause. +### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation + +This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **activationSource** Where activation is initiated. +- **uriString** URI of the launching protocol. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. @@ -4786,11 +4893,25 @@ The following fields are available: - **UpdateAssistantPartnerId** Partner Id for Assistant application. - **UpdateAssistantReportPath** Path to report for Update Assistant. - **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. - **UpdateAssistantUiType** The type of UI whether default or OOBE. - **UpdateAssistantVersion** Current package version of UpdateAssistant. - **UpdateAssistantVersionInfo** Information about Update Assistant application. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. @@ -4806,6 +4927,21 @@ The following fields are available: - **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. - **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. - **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. - **UpdateAssistantVersion** Current package version of UpdateAssistant. diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 96516c4786..3d5cadea67 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -17,7 +17,7 @@ items: - name: Required Windows 11 diagnostic data events and fields href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields href: basic-level-windows-diagnostic-events-and-fields-1903.md From dfa807acf55e39c2f03d4a93616ed6ccb4fa4c41 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 10:29:14 +0100 Subject: [PATCH 02/46] Update basic-level-windows-diagnostic-events-and-fields-1903.md --- ...ndows-diagnostic-events-and-fields-1903.md | 205 +++++++++++------- 1 file changed, 128 insertions(+), 77 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index d9cf6ceee1..38e89bc8e6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: --- @@ -277,6 +277,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -290,6 +292,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -306,6 +310,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -322,6 +328,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -335,6 +343,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -348,6 +358,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -362,6 +374,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -378,6 +392,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -391,6 +407,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -407,6 +425,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -423,6 +443,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -436,6 +458,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -449,6 +473,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -462,6 +488,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -469,17 +497,19 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. -- **DecisionSModeState_19H1** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS2** The total number of objects of this type present on this device. -- **DecisionSModeState_RS3** The total number of objects of this type present on this device. -- **DecisionSModeState_RS4** The total number of objects of this type present on this device. -- **DecisionSModeState_RS5** The total number of objects of this type present on this device. -- **DecisionSModeState_TH1** The total number of objects of this type present on this device. -- **DecisionSModeState_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -487,6 +517,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -497,67 +529,79 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -565,28 +609,32 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -616,6 +664,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -4237,6 +4287,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4614,13 +4665,13 @@ The following fields are available: - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. - **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationDriver** A count of application driver objects in cache. - **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache. +- **InventoryApplicationShortcut** A count of application shortcut objects in cache. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. - **InventoryDeviceMediaClass** A count of device media objects in cache. @@ -4631,14 +4682,14 @@ The following fields are available: - **InventoryDriverPackage** A count of device objects in cache. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache. +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache. +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache. +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache. +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache. +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache. +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache. +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache. - **InventoryVersion** The version of the inventory binary generating the events. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. From ed60c2e7926d9d4789679767120a114ed17dc882 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 11:15:57 +0100 Subject: [PATCH 03/46] 21H2 updates --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 3 +-- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 16e94c4bd9..ef66a270df 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index fe2e57d529..02eadda8ef 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 27ad38b904..ff6bf7d93d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -44,7 +44,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e45351e107..ba9fcdb1ad 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -24,7 +24,6 @@ ms.reviewer: - Windows 10, version 1809 - The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. From 0159d84c56b236f6515b3e823e5532cfbaf6e1ae Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 11:23:11 +0100 Subject: [PATCH 04/46] version update --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- .../privacy/required-windows-11-diagnostic-events-and-fields.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ef66a270df..a2c09c70c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 02eadda8ef..234c81b398 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index ff6bf7d93d..c1edecf7c1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index ba9fcdb1ad..c3d759b73a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 38e89bc8e6..2448fdc4f6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -39,7 +39,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 246577e395..728704a57e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -36,7 +36,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) From aa9335cefcc47a7a1a192779cbbf1aa34a630a71 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 14 Oct 2021 11:54:04 +0100 Subject: [PATCH 05/46] Update windows-diagnostic-data.md --- windows/privacy/windows-diagnostic-data.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 11c346e2e5..32e8f6917f 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -19,6 +19,8 @@ ms.reviewer: Applies to: - Windows 11 +- Windows 10, version 21H2 +- Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 - Windows 10, version 1909 From 8908e3730d4699ab7dfce7727789f368831fbefd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 19 Oct 2021 13:06:18 -0700 Subject: [PATCH 06/46] found homes for the other events --- ...ndows-diagnostic-events-and-fields-1709.md | 16 - ...ndows-diagnostic-events-and-fields-1803.md | 19 +- ...ndows-diagnostic-events-and-fields-1809.md | 46 +- ...ndows-diagnostic-events-and-fields-1903.md | 114 ++-- ...-diagnostic-data-events-and-fields-2004.md | 521 +++++++++--------- 5 files changed, 338 insertions(+), 378 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 234c81b398..2c105c0127 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3029,22 +3029,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index c1edecf7c1..89feae1164 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4369,14 +4369,6 @@ The following fields are available: ## Other events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## Privacy consent logging events @@ -5472,6 +5464,17 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + ## Update Assistant events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index c3d759b73a..e170e13dbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -5789,36 +5789,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -7028,6 +6998,22 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## System Resource Usage Monitor events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2448fdc4f6..7cd176eb53 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -5947,27 +5947,6 @@ The following fields are available: - **ModelName** Windows Mixed Reality device model name. - **SerialNumber** Windows Mixed Reality device serial number. - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -## Other events - ### Microsoft.ML.ONNXRuntime.ProcessInfo This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly. @@ -5992,21 +5971,52 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## OneDrive events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. The following fields are available: -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Update Assistant events ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked @@ -6387,37 +6397,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -## Quality Update Assistant events - ### Microsoft.Windows.QualityUpdateAssistant.Applicability This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. @@ -7088,6 +7067,19 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## System reset events diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b217232fd4..962dca9a2d 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -4671,186 +4671,7 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData** Battery Performance data. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. -- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? -- **BPMHvtCountA** Current HVT count for BPM counter A. -- **BPMHvtCountB** Current HVT count for BPM counter B. -- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. -- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMTotalEngagedMinutes** Total time that BPM was engaged. -- **BPMTotalEntryEvents** Total number of times entering BPM. -- **ComponentId** Component ID. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **ProductId** Product ID. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. -- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). -- **ComponentId** Component ID. -- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. -- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. -- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. -- **CTTStartDateInSeconds** Start date from when device was starting to be used. -- **currentAuthenticationState** Current Authentication State. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **newSnFruUpdateCount** New Sn FRU Update Count. -- **newSnUpdateCount** New Sn Update Count. -- **ProductId** Product ID. -- **ProtectionPolicy** Battery limit engaged. True (0 False). -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. -- **VoltageOptimization** Current CTT reduction in mV. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **cbTimeCell_Values** cb time for different cells. -- **ComponentId** Component ID. -- **cycleCount** Cycle Count. -- **deltaVoltage** Delta voltage. -- **eocChargeVoltage_Values** EOC Charge voltage values. -- **fullChargeCapacity** Full Charge Capacity. -- **FwVersion** FW version that created this log. -- **lastCovEvent** Last Cov event. -- **lastCuvEvent** Last Cuv event. -- **LogClass** LOG_CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG_MGR_VERSION. -- **manufacturerName** Manufacturer name. -- **maxChargeCurrent** Max charge current. -- **maxDeltaCellVoltage** Max delta cell voltage. -- **maxDischargeCurrent** Max discharge current. -- **maxTempCell** Max temp cell. -- **maxVoltage_Values** Max voltage values. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **minTempCell** Min temp cell. -- **minVoltage_Values** Min voltage values. -- **numberOfCovEvents** Number of Cov events. -- **numberOfCuvEvents** Number of Cuv events. -- **numberOfOCD1Events** Number of OCD1 events. -- **numberOfOCD2Events** Number of OCD2 events. -- **numberOfQmaxUpdates** Number of Qmax updates. -- **numberOfRaUpdates** Number of Ra updates. -- **numberOfShutdowns** Number of shutdowns. -- **pfStatus_Values** pf status values. -- **ProductId** Product ID. -- **qmax_Values** Qmax values for different cells. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **avgCurrLastRun** Average current last run. -- **avgPowLastRun** Average power last run. -- **batteryMSPN** BatteryMSPN -- **batteryMSSN** BatteryMSSN. -- **cell0Ra3** Cell0Ra3. -- **cell1Ra3** Cell1Ra3. -- **cell2Ra3** Cell2Ra3. -- **cell3Ra3** Cell3Ra3. -- **ComponentId** Component ID. -- **currentAtEoc** Current at Eoc. -- **firstPFstatusA** First PF status-A. -- **firstPFstatusB** First PF status-B. -- **firstPFstatusC** First PF status-C. -- **firstPFstatusD** First PF status-D. -- **FwVersion** FW version that created this log. -- **lastQmaxUpdate** Last Qmax update. -- **lastRaDisable** Last Ra disable. -- **lastRaUpdate** Last Ra update. -- **lastValidChargeTerm** Last valid charge term. -- **LogClass** LOG CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG MGR VERSION. -- **maxAvgCurrLastRun** Max average current last run. -- **maxAvgPowLastRun** Max average power last run. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **mfgInfoBlockB01** MFG info Block B01. -- **mfgInfoBlockB02** MFG info Block B02. -- **mfgInfoBlockB03** MFG info Block B03. -- **mfgInfoBlockB04** MFG info Block B04. -- **numOfRaDisable** Number of Ra disable. -- **numOfValidChargeTerm** Number of valid charge term. -- **ProductId** Product ID. -- **qmaxCycleCount** Qmax cycle count. -- **SeqNum** Sequence Number. -- **stateOfHealthEnergy** State of health energy. -- **stateOfHealthFcc** State of health Fcc. -- **stateOfHealthPercent** State of health percent. -- **TimeStamp** UTC seconds when log was created. -- **totalFwRuntime** Total FW runtime. -- **updateStatus** Update status. -- **Ver** Schema version. - - -### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 - -This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **HostResetCause** Host reset cause. -- **PchResetCause** PCH reset cause. -- **SamResetCause** SAM reset cause. - +## Settings events ### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation @@ -4862,89 +4683,6 @@ The following fields are available: - **uriString** URI of the launching protocol. -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult - -This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation - -This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantAppFilePath** Path to Update Assistant app. -- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. -- **UpdateAssistantExeName** Exe name running as Update Assistant. -- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. -- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. -- **UpdateAssistantIsPushing** True if the update is pushing to the device. -- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. -- **UpdateAssistantOsVersion** Update Assistant OS Version. -- **UpdateAssistantPartnerId** Partner Id for Assistant application. -- **UpdateAssistantReportPath** Path to report for Update Assistant. -- **UpdateAssistantStartTime** Start time for UpdateAssistant. -- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. -- **UpdateAssistantUiType** The type of UI whether default or OOBE. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. -- **UpdateAssistantVersionInfo** Information about Update Assistant application. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty - -This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. -- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. -- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat -- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantStatePostInstall** True at the start of PostInstall. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails - -This event provides details about user action. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. -- **UpdateAssistantUserActionHResult** HRESULT of user action. -- **UpdateAssistantUserActionState** State name user performed action on. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5547,6 +5285,182 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. ## Update Assistant events @@ -6024,6 +5938,87 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. ## Update events From 78602e2c884e4b411b70f24808f7be3369f9d805 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 20 Oct 2021 13:52:42 +0100 Subject: [PATCH 07/46] Update required-windows-diagnostic-data-events-and-fields-2004.md --- .../required-windows-diagnostic-data-events-and-fields-2004.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 962dca9a2d..5c6f22d52c 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -6003,7 +6003,10 @@ The following fields are available: - **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. - **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. - **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. - **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. - **UpdateAssistantVersion** Current package version of UpdateAssistant. From 185f04399e1a10c64b5ed5af3a841e654c9955bf Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 9 Nov 2021 16:40:58 +0530 Subject: [PATCH 08/46] 5548201: HTML Tables converted to Markdown Batch 01 This is a batch of ten files that consists of HTML tables converted into Markdown as per Task 5548201. --- ...ct-data-using-enterprise-site-discovery.md | 76 +- ...terprise-mode-schema-version-1-guidance.md | 135 +--- ...terprise-mode-schema-version-2-guidance.md | 198 +---- ...ct-data-using-enterprise-site-discovery.md | 74 +- ...terprise-mode-schema-version-1-guidance.md | 167 +--- ...terprise-mode-schema-version-2-guidance.md | 200 +---- .../windows/chromebook-migration-guide.md | 453 ++--------- .../deploy-windows-10-in-a-school-district.md | 764 ++---------------- .../microsoft-store-for-business-overview.md | 336 ++++---- ...ting-on-the-appv-client-with-powershell.md | 59 +- ...-a-stand-alone-computer-with-powershell.md | 56 +- .../app-v/appv-managing-connection-groups.md | 55 +- ...grating-to-appv-from-a-previous-version.md | 167 +--- 13 files changed, 406 insertions(+), 2334 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index d4f9600d8b..10d59733dd 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -201,68 +201,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you You can use both the WMI and XML settings individually or together: **To turn off Enterprise Site Discovery** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | Off | +|Turn on Site Discovery XML output | Blank | **Turn on WMI recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | On | +|Turn on Site Discovery XML output | Blank | **To turn on XML recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | Off | +|Turn on Site Discovery XML output | XML file path | **To turn on both WMI and XML recording** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | On | +|Turn on Site Discovery XML output | XML file path | ## Use Configuration Manager to collect your data After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md index 634fd7cd91..d04fbf79b9 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -60,132 +60,21 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l ### Schema elements This table includes the elements used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ElementDescriptionSupported browser
<rules>Root node for the schema. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
--or- -

For IPv6 ranges:

<rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
--or- -

For IPv4 ranges:

<rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. -

Example -

-<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. -

Example -

-<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. -

Example -

-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+|Element |Description |Supported browser | +|---------|---------|---------| +|<rules> | Root node for the schema.
**Example** 
<rules version="205"> 
  <emie> 
   <domain>contoso.com</domain> 
  </emie>
 </rules> |Internet Explorer 11 and Microsoft Edge         |
+|<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
 **Example** 
<rules version="205"> 
 <emie> 
   <domain>contoso.com</domain> 
 </emie>
</rules>  
 
 **or** 
 For IPv6 ranges: 

<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules> 
 
 **or**
 For IPv4 ranges:
<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules> | Internet Explorer 11 and Microsoft Edge       |
+|<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
 **Example** 
 
<rules version="205"> 
 <docmode> 
   <domain docMode="7">contoso.com</domain> 
 </docmode>
</rules>     |Internet Explorer 11         |
+|<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
 **Example** 
 
<emie> 
 <domain>contoso.com:8080</domain>
</emie>       |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
 **Example**  
 
<emie> 
 <domain exclude="false">fabrikam.com 
   <path exclude="true">/products</path>
 </domain>
</emie>
 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
-
Example
-
-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.
Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
-
Example
-
-<docMode>
-  <domain exclude="false">fabrikam.com
-    <path docMode="7">/products</path>
-  </domain>
-</docMode>
Internet Explorer 11

+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|<version>|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|<exclude>|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
 **Example** 
<emie>
  <domain exclude="false">fabrikam.com 
    <path exclude="true">/products</path>
  </domain>
</emie> 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
 **Example**
<docMode> 
  <domain exclude="false">fabrikam.com 
    <path docMode="7">/products</path>
  </domain>
</docMode>|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
index 70694a3df2..fcdaa18eee 100644
--- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
@@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
 ### Updated schema elements
 This table includes the elements used by the v.2 version of the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
ElementDescriptionSupported browser
<site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
Example
-
-<site-list version="205">
-  <site url="contoso.com">
-    <compat-mode>IE8Enterprise</compat-mode>
-    <open-in>IE11</open-in>
-  </site>
-</site-list>
Internet Explorer 11 and Microsoft Edge
<site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
Example
-
-<site url="contoso.com">
-  <compat-mode>default</compat-mode>
-  <open-in>none</open-in>
-</site>

--or-
-
For IPv4 ranges:
<site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

--or-
-
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

-You can also use the self-closing version, <url="contoso.com" />, which also sets:
-
    
-  
  • <compat-mode>default</compat-mode>
    • 
-  
  • <open-in>none</open-in>
    • 
-
Internet Explorer 11 and Microsoft Edge
<compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
-
Example
-
-<site url="contoso.com">
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>

--or-
-
For IPv4 ranges:
<site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

--or-
-
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

-Where:
-
    
-  
  • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
    • 
-  
  • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
    Important
    This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
    • 
-  
  • IE[x]. Where [x] is the document mode number into which the site loads.
    • 
-  
  • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
    • 
-
Internet Explorer 11
<open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
Example
-
-<site url="contoso.com">
-  <open-in>none</open-in>
-</site>

-Where:
-
    
-  
  • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
    • 
-  
  • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
    • 
-  
  • None or not specified. Opens in whatever browser the employee chooses.
    • 
-
Internet Explorer 11 and Microsoft Edge

+
+|Element  |Description |Supported browser  |
+|---------|---------|---------|
+|<site-list>     |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. 
 **Example** 
 
<site-list version="205">
  <site url="contoso.com">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
  </site>
</site-list>
         | Internet Explorer 11 and Microsoft Edge        |
+|<site>    |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. 
 **Example** 
<site url="contoso.com">
  <compat-mode>default</compat-mode>
  <open-in>none</open-in>
</site>
 
 **or** For IPv4 ranges: 
  
<site url="10.122.34.99:8080">
 <compat-mode>IE8Enterprise</compat-mode>
<site>
 
 **or**  For IPv6 ranges:
<site url="[10.122.34.99]:8080">
  <compat-mode>IE8Enterprise</compat-mode>
<site>
 
 You can also use the self-closing version, <url="contoso.com" />, which also sets:
  • <compat-mode>default</compat-mode>
  • <open-in>none</open-in>
    • | Internet Explorer 11 and Microsoft Edge        |
+|<compat-mode>     |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. 
     **Example** 

    <site url="contoso.com">
      <compat-mode>IE8Enterprise</compat-mode>
    </site>
     **or** 
     For IPv4 ranges:
    <site url="10.122.34.99:8080">
      <compat-mode>IE8Enterprise</compat-mode>
    <site>
     **or** For IPv6 ranges:
    <site url="[10.122.34.99]:8080">
      <compat-mode>IE8Enterprise</compat-mode>
    <site>
     Where
    • **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
      This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
    • **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
      This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
      **Important**
      This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
    • **IE[x]**. Where [x] is the document mode number into which the site loads.
    • **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
      •       |Internet Explorer 11         |
+|<open-in>    |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
       **Examples**
      <site url="contoso.com">
        <open-in>none</open-in> 
      </site>
       
       Where
      • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
      • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
      • None or not specified. Opens in whatever browser the employee chooses.
        •   | Internet Explorer 11 and Microsoft Edge        |
 
 ### Updated schema attributes
 The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        AttributeDescriptionSupported browser
        allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
        Example
-
        -<site url="contoso.com/travel">
-  <open-in allow-redirect="true">IE11</open-in>
-</site>
        
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.        		Internet Explorer 11 and Microsoft Edge
        versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
        urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
-
        Note
        
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
-
        Example
-
        -<site url="contoso.com:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
        
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.        		Internet Explorer 11 and Microsoft Edge
        
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
        **Example**
        <site url="contoso.com/travel">
          <open-in allow-redirect="true">IE11 </open-in>
        </site> 
         In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge|
+|version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
         **Note**
         Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
         **Example**
        <site url="contoso.com:8080">
           <compat-mode>IE8Enterprise</compat-mode> 
         <open-in>IE11</open-in>
        </site>
        In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
 ### Deprecated attributes
 These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        Deprecated attributeNew attributeReplacement example
        <forceCompatView><compat-mode>Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
        <docMode><compat-mode>Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
        <doNotTransition><open-in>Replace <doNotTransition="true"> with <open-in>none</open-in>
        <domain> and <path><site>Replace:
-
        -<emie>
-  <domain exclude="false">contoso.com</domain>
-</emie>
        
-With:
-
        -<site url="contoso.com"/>
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>
        
--AND-
        
-Replace:
-
        -<emie>
-  <domain exclude="true">contoso.com
-     <path exclude="false" forceCompatView="true">/about</path>
-  </domain>
-</emie>
        
-With:
-
        -<site url="contoso.com/about">
-  <compat-mode>IE7Enterprise</compat-mode>
-</site>
        
+|Deprecated attribute|New attribute|Replacement example|
+|--- |--- |--- |
+|<forceCompatView>|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
+|<docMode>|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
+|<doNotTransition>|<open-in>|Replace:
         <doNotTransition="true"> with <open-in>none</open-in>|
+|<domain> and <path>|<site>|Replace:
        <emie>
         <domain exclude="false">contoso.com</domain>
        </emie>
        With:
        <site url="contoso.com"/> 
          <compat-mode>IE8Enterprise</compat-mode>
        </site>
        **-AND-** 
        Replace:
        <emie> 
          <domain exclude="true">contoso.com 
         <path exclude="false" forceCompatView="true">/about</path>
         </domain>
        </emie>

         With:
        <site url="contoso.com/about">
         <compat-mode>IE7Enterprise</compat-mode>
        </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 65fbb8eaaf..488c893951 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -205,68 +205,28 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
 You can use both the WMI and XML settings individually or together:
 
 **To turn off Enterprise Site Discovery**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOff
        Turn on Site Discovery XML outputBlank
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|Blank|
 
 **Turn on WMI recording only**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOn
        Turn on Site Discovery XML outputBlank
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|Blank|
 
 **To turn on XML recording only**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOff
        Turn on Site Discovery XML outputXML file path
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|XML file path|
  
-To turn on both WMI and XML recording
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOn
        Turn on Site Discovery XML outputXML file path
        
+**To turn on both WMI and XML recording**
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|XML file path|
 
 ## Use Configuration Manager to collect your data
 After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 6832c2797b..adf856e767 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -64,163 +64,24 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
 
 ### Schema elements
 This table includes the elements used by the Enterprise Mode schema.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        ElementDescriptionSupported browser
        <rules>Root node for the schema.
-
        Example
-
        -<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
        		Internet Explorer 11 and Microsoft Edge
        <emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
-
        Example
-
        -<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
        
--or-
-
        For IPv6 ranges:
        <rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
        
--or-
-
        For IPv4 ranges:
        <rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
        		Internet Explorer 11 and Microsoft Edge
        <docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
-
        Example
-
        -<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
        		Internet Explorer 11
        <domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
-
        Example
-
        -<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
        		Internet Explorer 11 and Microsoft Edge
        <path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
-
        Example
-
        -<emie>
-  <domain exclude="true">fabrikam.com
-    <path exclude="false">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.
        		Internet Explorer 11 and Microsoft Edge
        
+|Element |Description  |Supported browser  |
+|---------|---------|---------|
+|<rules>   | Root node for the schema.
        **Example** 
        <rules version="205"> 
          <emie> 
           <domain>contoso.com</domain> 
          </emie>
         </rules> |Internet Explorer 11 and Microsoft Edge         |
+|<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
         **Example** 
        <rules version="205"> 
         <emie> 
           <domain>contoso.com</domain> 
         </emie>
        </rules>  
         
         **or** 
         For IPv6 ranges: 

        <rules version="205"> 
         <emie> 
          <domain>[10.122.34.99]:8080</domain> 
         </emie>
        </rules> 
         
         **or**
         For IPv4 ranges:
        <rules version="205"> 
         <emie> 
          <domain>[10.122.34.99]:8080</domain> 
         </emie>
        </rules> | Internet Explorer 11 and Microsoft Edge       |
+|<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
         **Example** 
         
        <rules version="205"> 
         <docmode> 
           <domain docMode="7">contoso.com</domain> 
         </docmode>
        </rules>     |Internet Explorer 11         |
+|<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
         **Example** 
         
        <emie> 
         <domain>contoso.com:8080</domain>
        </emie>       |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
         **Example**  
         
        <emie> 
         <domain exclude="false">fabrikam.com 
           <path exclude="true">/products</path>
         </domain>
        </emie>
         
         Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        AttributeDescriptionSupported browser
        versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
        excludeSpecifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.
        		Internet Explorer 11
        docModeSpecifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
-
        
-
        Example:
        
-
        -<docMode>
-  <domain>fabrikam.com
-    <path docMode="9">/products</path>
-  </domain>
-</docMode>
        
-Where https://fabrikam.com loads in IE11 document mode, but https://fabrikam.com/products uses IE9 document mode.
        		Internet Explorer 11
        doNotTransitionSpecifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain doNotTransition="false">fabrikam.com
-    <path doNotTransition="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com opens in the IE11 browser, but https://fabrikam.com/products loads in the current browser (eg. Microsoft Edge).
        		Internet Explorer 11 and Microsoft Edge
        forceCompatViewSpecifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain exclude="true">fabrikam.com
-    <path forceCompatView="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com does not use Enterprise Mode, but https://fabrikam.com/products uses IE7 Enterprise Mode.
        		Internet Explorer 11
        
+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
         **Example** 
        <emie>
          <domain exclude="false">fabrikam.com 
            <path exclude="true">/products</path>
          </domain>
        </emie> 
         Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
         **Example**
        <docMode> 
          <domain exclude="false">fabrikam.com 
            <path docMode="9">/products</path>
          </domain>
        </docMode>|Internet Explorer 11|
+|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
         **Example**
        <emie>
         <domain doNotTransition="false">fabrikam.com 
           <path doNotTransition="true">/products</path>
         </domain>
        </emie>
        Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
         **Example**
        <emie>
         <domain doNotTransition="false">fabrikam.com 
           <path doNotTransition="true">/products</path>
         </domain>
        </emie>
        Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 299c6c093f..d9e6edd663 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
 ### Updated schema elements
 This table includes the elements used by the v.2 version of the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        ElementDescriptionSupported browser
        <site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
        Example
-
        -<site-list version="205">
-  <site url="contoso.com">
-    <compat-mode>IE8Enterprise</compat-mode>
-    <open-in>IE11</open-in>
-  </site>
-</site-list>
        		Internet Explorer 11 and Microsoft Edge
        <site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
        Example
-
        -<site url="contoso.com">
-  <compat-mode>default</compat-mode>
-  <open-in>none</open-in>
-</site>
        
--or-
-
        For IPv4 ranges:
        <site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
--or-
-
        For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
-You can also use the self-closing version, <url="contoso.com" />, which also sets:
-
          
-  
        • <compat-mode>default</compat-mode>
          • 
-  
        • <open-in>none</open-in>
          • 
-
        		Internet Explorer 11 and Microsoft Edge
        <compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
-
        Example
-
        -<site url="contoso.com">
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>
        
--or-
-
        For IPv4 ranges:
        <site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
--or-
-
        For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
-Where:
-
          
-  
        • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
          This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
          • 
-  
        • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
          This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
          Important
          This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
          • 
-  
        • IE[x]. Where [x] is the document mode number into which the site loads.
          • 
-  
        • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
          • 
-
        		Internet Explorer 11
        <open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
        Example
-
        -<site url="contoso.com">
-  <open-in>none</open-in>
-</site>
        
-Where:
-
          
-  
        • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
          • 
-  
        • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
          • 
-  
        • None or not specified. Opens in whatever browser the employee chooses.
          • 
-
        		Internet Explorer 11 and Microsoft Edge
        
+|Element  |Description |Supported browser  |
+|---------|---------|---------|
+|<site-list>     |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. 
         **Example** 
         
        <site-list version="205">
          <site url="contoso.com">
           <compat-mode>IE8Enterprise</compat-mode>
           <open-in>IE11</open-in>
          </site>
        </site-list>
                 | Internet Explorer 11 and Microsoft Edge        |
+|<site>    |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. 
         **Example** 
        <site url="contoso.com">
          <compat-mode>default</compat-mode>
          <open-in>none</open-in>
        </site>
         
         **or** For IPv4 ranges: 
          
        <site url="10.122.34.99:8080">
         <compat-mode>IE8Enterprise</compat-mode>
        <site>
         
         **or**  For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
          <compat-mode>IE8Enterprise</compat-mode>
        <site>
         
         You can also use the self-closing version, <url="contoso.com" />, which also sets:
        • <compat-mode>default</compat-mode>
        • <open-in>none</open-in>
          • | Internet Explorer 11 and Microsoft Edge        |
+|<compat-mode>     |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. 
           **Example** 

          <site url="contoso.com">
            <compat-mode>IE8Enterprise</compat-mode>
          </site>
           **or** 
           For IPv4 ranges:
          <site url="10.122.34.99:8080">
            <compat-mode>IE8Enterprise</compat-mode>
          <site>
           **or** For IPv6 ranges:
          <site url="[10.122.34.99]:8080">
            <compat-mode>IE8Enterprise</compat-mode>
          <site>
           Where
          • **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
            This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
          • **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
            This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
            **Important**
            This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
          • **IE[x]**. Where [x] is the document mode number into which the site loads.
          • **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
            •       |Internet Explorer 11         |
+|<open-in>    |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
             **Examples**
            <site url="contoso.com">
              <open-in>none</open-in> 
            </site>
             
             Where
            • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
            • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
            • None or not specified. Opens in whatever browser the employee chooses.
              •   | Internet Explorer 11 and Microsoft Edge        |
 
 ### Updated schema attributes
 The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              AttributeDescriptionSupported browser
              allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
              Example
-
              -<site url="contoso.com/travel">
-  <open-in allow-redirect="true">IE11</open-in>
-</site>
              
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.              		Internet Explorer 11 and Microsoft Edge
              versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
              urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
-
              Note
              
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com.
-
              Example
-
              -<site url="contoso.com:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.              		Internet Explorer 11 and Microsoft Edge
              
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
              **Example**
              <site url="contoso.com/travel">
                <open-in allow-redirect="true">IE11 </open-in>
              </site>
               In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
            • | Internet Explorer 11 and Microsoft Edge|
+|version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
               **Note**
               Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
               **Example**
              <site url="contoso.com:8080">
                 <compat-mode>IE8Enterprise</compat-mode> 
               <open-in>IE11</open-in>
              </site>
              In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
 ### Deprecated attributes
 These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              Deprecated element/attributeNew elementReplacement example
              forceCompatView<compat-mode>Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode>
              docMode<compat-mode>Replace docMode="IE5" with <compat-mode>IE5</compat-mode>
              doNotTransition<open-in>Replace doNotTransition="true" with <open-in>none</open-in>
              <domain> and <path><site>Replace:
-
              -<emie>
-  <domain>contoso.com</domain>
-</emie>
              
-With:
-
              -<site url="contoso.com"/>
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
--AND-
              
-Replace:
-
              -<emie>
-  <domain exclude="true" doNotTransition="true">
-    contoso.com
-    <path forceCompatView="true">/about</path>
-  </domain>
-</emie>
              
-With:
-
              -<site url="contoso.com/about">
-  <compat-mode>IE7Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
+|Deprecated attribute|New attribute|Replacement example|
+|--- |--- |--- |
+|forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
+|docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
+|doNotTransition|<open-in>|Replace:
               <doNotTransition="true"> with <open-in>none</open-in>|
+|<domain> and <path>|<site>|Replace:
              <emie>
               <domain exclude="false">contoso.com</domain>
              </emie>
              With:
              <site url="contoso.com"/> 
                <compat-mode>IE8Enterprise</compat-mode>
              </site>
              **-AND-** 
              Replace:
              <emie> 
                <domain exclude="true">contoso.com 
               <path exclude="false" forceCompatView="true">/about</path>
               </domain>
              </emie>

               With:
              <site url="contoso.com/about">
               <compat-mode>IE7Enterprise</compat-mode>
               <open-in>IE11</open-in>
              </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 2fb2324ddc..af0ea18ce1 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -126,96 +126,22 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con
 
 Table 2. Settings in the Device Management node in the Google Admin Console
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              



              SectionSettings
              Network
              These settings configure the network connections for Chromebook devices and include the following settings categories:
              
-
                
-
              • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
                • 
-
              • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
                • 
-
              • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
                • 
-
              • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
                • 
-
              Mobile
              These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
              
-
                
-
              • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                • 
-
              • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                • 
-
              • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                • 
-
              • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
                • 
-
              • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
                • 
-
              Chrome management
              These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
              
-
                
-
              • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • 
-
              • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                • 
-
              • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • 
-
              • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
                • 
-
              • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
                • 
-
              
-
- 
+|Section  |Settings  |
+|---------|---------|
+|Network     | 
              These settings configure the network connections for Chromebook devices and include the following settings categories:
              •  **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
                •  
              • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
              • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
              • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
                        |
+|Mobile     |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                   
                • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                •  **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. 
                • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.        |
+|Chrome management    |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                     
                  • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                  • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                  •  **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                  • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices 
                  • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.      |
 
 Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
 
 Table 3. Settings in the Security node in the Google Admin Console
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    SectionSettings
                    Basic settings
                    These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                    
-
                    Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
                    Password monitoring
                    This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
                    API reference
                    This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
                    Set up single sign-on (SSO)
                    This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
                    Advanced settings
                    This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
                    
-
- 
+|Section|Settings|
+|--- |--- |
+|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                     Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
+|Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.|
+|API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.|
+|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
+|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
 
 **Identify locally-configured settings to migrate**
 
@@ -428,62 +354,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis
 
 Table 5. Select on-premises AD DS, Azure AD, or hybrid
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    If you plan to...On-premises AD DSAzure ADHybrid
                    Use Office 365XX
                    Use Intune for managementXX
                    Use Microsoft Endpoint Manager for managementXX
                    Use Group Policy for managementXX
                    Have devices that are domain-joinedXX
                    Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
                    
-
- 
+|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
+|--- |--- |--- |--- |
+|Use Office 365||X|X|
+|Use Intune for management||X|X|
+|Use Microsoft Endpoint Manager for management|X||X|
+|Use Group Policy for management|X||X|
+|Have devices that are domain-joined|X||X|
+|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||X|X|
 
 ### 
 
@@ -497,113 +375,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
 
 Table 6. Device, user, and app management products and technologies
 
-
---------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    








                    Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
                    Deploy operating system imagesXXX
                    Deploy apps during operating system deploymentXXX
                    Deploy apps after operating system deploymentXXX
                    Deploy software updates during operating system deploymentXX
                    Deploy software updates after operating system deploymentXXXXX
                    Support devices that are domain-joinedXXXXX
                    Support devices that are not domain-joinedXXX
                    Use on-premises resourcesXXXX
                    Use cloud-based servicesX
                    
-
- 
+|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
+|--- |--- |--- |--- |--- |--- |--- |
+|Deploy operating system images|X||X||X||
+|Deploy apps during operating system deployment|X||X||X||
+|Deploy apps after operating system deployment|X|X|X||||
+|Deploy software updates during operating system deployment|||X||X||
+|Deploy software updates after operating system deployment|X|X|X|X||X|
+|Support devices that are domain-joined|X|X|X|X|X||
+|Support devices that are not domain-joined|X|||X|X||
+|Use on-premises resources|X|X|X||X||
+|Use cloud-based services||||X|||
 
 You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 
@@ -665,35 +447,10 @@ It is important that you perform any network infrastructure remediation first be
 
 Table 7. Network infrastructure products and technologies and deployment resources
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Product or technologyResources
                    DHCP
                    DNS
                    
-
+|Product or technology|Resources|
+|--- |--- |
+|DHCP|
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  •  [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))|
+|DNS|
                  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
  
 
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -706,38 +463,10 @@ It is important that you perform AD DS and Azure AD services deployment or remed
 In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
 
 Table 8. AD DS, Azure AD and deployment resources
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Product or technologyResources
                    AD DS
                    Azure AD
                    
-
- 
+|Product or technology|Resources|
+|--- |--- |
+|AD DS| 
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
+|Azure AD| 
                  •  [Azure Active Directory documentation](/azure/active-directory/) 
                  • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259) 
                  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 
 If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -750,59 +479,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
 
 Table 9. Management systems and deployment resources
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Management systemResources
                    Windows provisioning packages
                    Group Policy
                    Configuration Manager
                    Intune
                    MDT
                    
-
- 
+|Management system|Resources|
+|--- |--- |
+|Windows provisioning packages| 
                  •  [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) 
                  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) 
                  •  [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
+|Group Policy|
                  •  [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) 
                  •  [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
+|Configuration Manager| 
                  •  [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) 
                  •  [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
+|Intune| 
                  •  [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) 
                  •  [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263) 
                  •  [System Center 2012 R2 Configuration Manager &amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
+|MDT| 
                  • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) 
                  •  [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
 
 If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -814,45 +497,11 @@ In the [Plan for app migration or replacement](#plan-app-migrate-replace) sectio
 In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
 
 Table 10. Management systems and app deployment resources
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Management systemResources
                    Group Policy
                    Configuration Manager
                    Intune
                    
-
- 
+|Management system|Resources|
+|--- |--- |
+|Group Policy| 
                  •  [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) 
                  •  [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) 
                  •  [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
+|Configuration Manager| 
                  •  [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) 
                  •  [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
+|Intune| 
                  •  [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913) 
                  •  [Manage apps with Microsoft Intune](/mem/intune/)|
 
 If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 09c8ad86fe..2572fe0140 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
 
 To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription
                    MDT
                    MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.

                    
-Select this method when you:
                    
-
                      
-
                    • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
                      • 
-
                    • Don’t have an existing AD DS infrastructure.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage device drivers during initial deployment.
                      • 
-
                    • You can deploy Windows desktop apps (during initial deployment)
                      • 
-
                    • It doesn’t require an AD DS infrastructure.
                      • 
-
                    • It doesn’t have additional infrastructure requirements.
                      • 
-
                    • MDT doesn’t incur additional cost: it’s a free tool.
                      • 
-
                    • You can deploy Windows 10 operating systems to institution-owned and personal devices.
                      • 
-
                    
-
-
                    The disadvantages of this method are that it:
                    
-
-
                      
-
                    • Can’t manage applications throughout entire application life cycle (by itself).
                      • 
-
                    • Can’t manage software updates for Windows 10 and apps (by itself).
                      • 
-
                    • Doesn’t provide antivirus and malware protection (by itself).
                      • 
-
                    • Has limited scaling to large numbers of users and devices.
                      • 
-
                    
-
-
                    Microsoft Endpoint Configuration Manager
                    Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.

                    
-Select this method when you:
                    
-
                      
-
                    • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                      • 
-
                    • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                      • 
-
                    • Typically deploy Windows 10 to on-premises devices.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                      • 
-
                    • You can manage software updates for Windows 10 and apps.
                      • 
-
                    • You can manage antivirus and malware protection.
                      • 
-
                    • It scales to large number of users and devices.
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    
-
                    
+|Method|Description|
+|--- |--- |
+|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
                     Select this method when you: 
                  •  Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) 
                  •  Don’t have an existing AD DS infrastructure. 
                  •  Need to manage devices regardless of where they are (on or off premises). 
                    The advantages of this method are that: 
                     
                  •  You can deploy Windows 10 operating systems 
                  •  You can manage device drivers during initial deployment. 
                  • You can deploy Windows desktop apps (during initial deployment)
                  •  It doesn’t require an AD DS infrastructure.
                  • It doesn’t have additional infrastructure requirements.
                  • MDT doesn’t incur additional cost: it’s a free tool.
                  • You can deploy Windows 10 operating systems to institution-owned and personal devices. 
                     The disadvantages of this method are that it:
                     
                  • Can’t manage applications throughout entire application life cycle (by itself).
                  • Can’t manage software updates for Windows 10 and apps (by itself).
                  • Doesn’t provide antivirus and malware protection (by itself).
                  • Has limited scaling to large numbers of users and devices.|
+|Microsoft Endpoint Configuration Manager|
                  •  Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle 
                  • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. 
                     Select this method when you: 
                  •  Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). 
                  • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). 
                  • Typically deploy Windows 10 to on-premises devices. 
                     The advantages of this method are that: 
                  • You can deploy Windows 10 operating systems.
                  • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                  • You can manage software updates for Windows 10 and apps.
                  • You can manage antivirus and malware protection.
                  • It scales to large number of users and devices. 
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                  • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
 
 *Table 2. Deployment methods*
 
@@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
 
 For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription
                    Group Policy
                    Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.

                    
-Select this method when you:
                    
-
-
                      
-
                    • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                      • 
-
                    • Want more granular control of device and user settings.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Typically manage on-premises devices.
                      • 
-
                    • Can manage a required setting only by using Group Policy.
                      • 
-
                    
-
-
                    The advantages of this method include:
                    
-
                      
-
                    • No cost beyond the AD DS infrastructure.
                      • 
-
                    • A larger number of settings (compared to Intune).
                      • 
-
                    
-
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Can only manage domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                      • 
-
                    • Has rudimentary app management capabilities.
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    Intune
                    Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.

                    
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.

                    
-Select this method when you:
                    
-
-
                      
-
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                      • 
-
                    • Don’t need granular control over device and user settings (compared to Group Policy).
                      • 
-
                    • Don’t have an existing AD DS infrastructure.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    • Can manage a required setting only by using Intune.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can manage institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It doesn’t require any on-premises infrastructure.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    
+|Method|Description|
+|--- |--- |
+|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. 
                     Select this method when you 
                  • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                  •  Want more granular control of device and user settings. 
                  • Have an existing AD DS infrastructure.
                  • Typically manage on-premises devices.
                  • Can manage a required setting only by using Group Policy. 
                    The advantages of this method include: 
                  • No cost beyond the AD DS infrastructure. 
                  • A larger number of settings (compared to Intune).
                    The disadvantages of this method are that it:
                  • Can only manage domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                  • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                  •  Has rudimentary app management capabilities.
                  •  Cannot deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                    Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                    Select this method when you:
                  •  Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                  • Don’t need granular control over device and user settings (compared to Group Policy).
                  • Don’t have an existing AD DS infrastructure.
                  • Need to manage devices regardless of where they are (on or off premises).
                  • Want to provide application management for the entire application life cycle.
                  • Can manage a required setting only by using Intune.
                    The advantages of this method are that:
                  • You can manage institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It doesn’t require any on-premises infrastructure.
                  • It can manage devices regardless of their location (on or off premises).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Intune subscription licenses.
                  • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                  • Cannot deploy Windows 10 operating systems.|
 
 *Table 4. Configuration setting management methods*
 
@@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
 
 Use the information in Table 6 to determine which combination of app and update management products is right for your district.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    SelectionManagement method
                    Microsoft Endpoint Configuration Manager
                    Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.

                    Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.

                    Select this method when you:
                    
-
                      
-
                    • Selected Configuration Manager to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                      • 
-
                    • Want to manage AD DS domain-joined devices.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Typically manage on-premises devices.
                      • 
-
                    • Want to deploy operating systems.
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage applications throughout the entire application life cycle.
                      • 
-
                    • You can manage software updates for Windows 10 and apps.
                      • 
-
                    • You can manage antivirus and malware protection.
                      • 
-
                    • It scales to large numbers of users and devices.
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                      • 
-
                    • Can only manage domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    • Typically manages on-premises devices (unless devices through VPN or DirectAccess).
                      • 
-
                    
-
                    Intune
                    Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.

                    
-Select this method when you:
                    
-
                      
-
                    • Selected MDT only to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned and personal devices that are not domain joined.
                      • 
-
                    • Want to manage Azure AD domain-joined devices.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can manage institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It doesn’t require on-premises infrastructure.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    Microsoft Endpoint Manager and Intune (hybrid)
                    Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

                    
-Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

                    
-Select this method when you:
                    
-
                      
-
                    • Selected Microsoft Endpoint Manager to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                      • 
-
                    • Want to manage domain-joined devices.
                      • 
-
                    • Want to manage Azure AD domain-joined devices.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Want to manage devices regardless of their connectivity.
                      • 
-
                    • Want to deploy operating systems.
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy operating systems.
                      • 
-
                    • You can manage applications throughout the entire application life cycle.
                      • 
-
                    • You can scale to large numbers of users and devices.
                      • 
-
                    • You can support institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                      • 
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    
-
                    
+|Selection|Management method|
+|--- |--- |
+|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                  • Selected Configuration Manager to deploy Windows 10.
                  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                  • Want to manage AD DS domain-joined devices.
                  • Have an existing AD DS infrastructure.
                  • Typically manage on-premises devices.
                  • Want to deploy operating systems.
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can deploy Windows 10 operating systems.
                  • You can manage applications throughout the entire application life cycle.
                  • You can manage software updates for Windows 10 and apps.
                  • You can manage antivirus and malware protection.
                  • It scales to large numbers of users and devices.
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                  • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                  • Can only manage domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                  • Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                    Select this method when you:
                  • Selected MDT only to deploy Windows 10.
                  • Want to manage institution-owned and personal devices that are not domain joined.
                  • Want to manage Azure AD domain-joined devices.
                  • Need to manage devices regardless of where they are (on or off premises).
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can manage institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                  • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Intune subscription licenses.
                  • Cannot deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                    Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. 
                    Select this method when you:
                  • Selected Microsoft Endpoint Manager to deploy Windows 10.
                  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                  • Want to manage domain-joined devices.
                  • Want to manage Azure AD domain-joined devices.
                  • Have an existing AD DS infrastructure.
                  • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can deploy operating systems.
                  • You can manage applications throughout the entire application life cycle.
                  • You can scale to large numbers of users and devices.
                  • You can support institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It can manage devices regardless of their location (on or off premises).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                  • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                  • Carries an additional cost for Intune subscription licenses.
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -1082,64 +838,11 @@ This guide discusses thick image deployment. For information about thin image de
 
 ### Select a method to initiate deployment
 The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription and reason to select this method
                    Windows Deployment Services
                    This method:
                    
-
                      
-
                    • Uses diskless booting to initiate LTI and ZTI deployments.
                      • 
-
                    • Works only with devices that support PXE boot.
                      • 
-
                    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                      • 
-
                    • Deploys images more slowly than when you use local media.
                      • 
-
                    • Requires that you deploy a Windows Deployment Services server.
                      • 
-
                    
-
                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
-
                    Bootable media
                    This method:
                    
-
                      
-
                    • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                      • 
-
                    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                      • 
-
                    • Deploys images more slowly than when using local media.
                      • 
-
                    • Requires no additional infrastructure.
                      • 
-
                    
-
                    Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
-
                    Deployment media
                    This method:
                    
-
                      
-
                    • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
                      • 
-
                    • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                      • 
-
                    • Deploys images more quickly than network-based methods do.
                      • 
-
                    • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
                      • 
-
                    
-
                    Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
-
                    
+|Method|Description and reason to select this method|
+|--- |--- |
+|Windows Deployment Services|This method:
                  • Uses diskless booting to initiate LTI and ZTI deployments.
                  • Works only with devices that support PXE boot.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when you use local media.
                  • Requires that you deploy a Windows Deployment Services server.

                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
+|Bootable media|This method:
                  • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when using local media.
                  • Requires no additional infrastructure.
                     
                    Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
+|Deployment media|This method:
                  • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
                  • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                  • Deploys images more quickly than network-based methods do.
                  • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
                     
                    Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
 
 *Table 15. Methods to initiate LTI and ZTI deployments*
 
@@ -1153,92 +856,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
 ### Configure the MDT deployment share
 
 The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    TaskDescription
                    1. Import operating systemsImport the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
                    2. Import device driversDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

                    
-Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench.
-
                    3. Create MDT applications for Microsoft Store appsCreate an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                    
-
                    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                    
-
                      
-
                    • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                      • 
-
                    • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
                      • 
-
                    
-
                    If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                    
-If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

                    
-In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:

                    
-
-
-
                    4. Create MDT applications for Windows desktop appsYou need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

                    
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.

                    
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
-

                    
-Note  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section.
-
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
-
-
                    5. Create task sequences
                    You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                    
-
                      
-
                    • Deploy 64-bit Windows 10 Education to devices.
                      • 
-
                    • Deploy 32-bit Windows 10 Education to devices.
                      • 
-
                    • Upgrade existing devices to 64-bit Windows 10 Education.
                      • 
-
                    • Upgrade existing devices to 32-bit Windows 10 Education.
                      • 
-
                    
-
                    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
-
-
                    6. Update the deployment shareUpdating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

                    
-For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench.
-
-
                    
+|Task|Description|
+|--- |--- |
+|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
                    Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                  • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                  • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
                     
                     If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                    If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                    In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                  • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                  • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
                    To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                     If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                    This is the preferred method for deploying and managing Windows desktop apps.
                    **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) 
                    For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
+|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                  • Deploy 64-bit Windows 10 Education to devices.
                  • Deploy 32-bit Windows 10 Education to devices.
                  • Upgrade existing devices to 64-bit Windows 10 Education.
                  • Upgrade existing devices to 32-bit Windows 10 Education.
                     
                    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
+|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
                    For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
 
 *Table 16. Tasks to configure the MDT deployment share*
 
@@ -1430,116 +1055,20 @@ Microsoft has several recommended settings for educational institutions. Table 1
 
 Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+|Recommendation|Description|
+|--- |--- |
+|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                    **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. 
                    **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                    ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                    **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. 
                    **Intune**. Not available.|
+|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
                     **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
                     **Intune**. Not available.|
+|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
                    **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
                    **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
+|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
                    **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
                    **Intune**. Not available.|
+|Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
                    **Group policy**. Not available.
                    **Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
                    **Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
                    **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
+|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
                    **Group policy**. Not available.
                    **Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
+|Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
                    **Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
                    **Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
                    **Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
                    **Intune**. Not available.|
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    RecommendationDescription
                    Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                    
-
-**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                    
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.

                    
-**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
-
-
                    Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

                    
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

                    
-Intune. Not available.
-
-
                    Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.

                    
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.

                    
-Intune. Not available.
-
-
                    Control Microsoft Store accessYou can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

                    
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.

                    
-Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
-
-
                    Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

                    
-Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

                    
-Intune. Not available.
-
-
                    Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

                    
-Group Policy. Not available.

                    
-Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
                    Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

                    
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.

                    
-Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
-
-
                    Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

                    
-Group Policy. Not available.

                    
-Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
-
-
                    Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

                    
-Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.

                    
-Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
                    Changing wallpaperCustom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.

                    
-Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.

                    
-Intune. Not available.
-
-
                    
 
                    
 Table 17. Recommended settings for educational institutions
 
@@ -1718,206 +1247,23 @@ After the initial deployment, you need to perform certain tasks to maintain the
 - **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
 
 Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
-
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    Task and resourcesMonthlyNew semester or academic yearAs required
                    Verify that Windows Update is active and current with operating system and software updates.

                    
-For more information about completing this task when you have:
-
-                    		xxx
                    Verify that Windows Defender is active and current with malware Security intelligence.

                    
-For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender.
-                    		xxx
                    Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

                    
-For more information about completing this task, see the “How do I find and remove a virus?” topic in Protect my PC from viruses.
-                    		xxx
                    Download and approve updates for Windows 10, apps, device driver, and other software.

                    
-For more information, see:
-
-                    		xxx
                    Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                    
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
-                    		xx
                    Refresh the operating system and apps on devices.

                    
-For more information about completing this task, see the following resources:
-
-                    		xx
                    Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.

                    
-For more information, see:
-
-                    		xx
                    Install new or update existing Microsoft Store apps used in the curriculum.

                    
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

                    
-You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
-
-                    		xx
                    Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Create or modify security groups, and manage group membership in Office 365.

                    
-For more information about how to:
-
-                    		xx
                    Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

                    
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group.
-                    		xx
                    Install new student devices.

                    
-Follow the same steps you followed in the Deploy Windows 10 to devices section.
-                    		x
                    
-
                    
+|Task and resources|Monthly|New semester or academic year|As required|
+|--- |--- |--- |--- |
+|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|
+|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|x|x|x|
+|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|x|x|x|
+|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|x|x|x|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
+|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  •  [Deploy and manage apps by using Microsoft Endpoint Configuration Manager]((#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager))||x|x|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
+|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US)
                  • Manage group membership, see [Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).||x|x|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).||x|x|
+|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||x|
 
 *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
 
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index b3eed6f968..82ea8add54 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set
 Store for Business and Education is currently available in these markets.
 
 ### Support for free and paid products
-
-   
-        
-   
-   
-     
-     
-     
-    
-   
-
                    Supports all free and paid products
                    
-        
                      
-            
                    • Afghanistan
                      • 
-            
                    • Algeria
                      • 
-            
                    • Andorra
                      • 
-            
                    • Angola
                      • 
-            
                    • Anguilla
                      • 
-            
                    • Antigua and Barbuda
                      • 
-            
                    • Argentina
                      • 
-            
                    • Australia
                      • 
-            
                    • Austria
                      • 
-            
                    • Bahamas
                      • 
-            
                    • Bahrain
                      • 
-            
                    • Bangladesh
                      • 
-            
                    • Barbados
                      • 
-            
                    • Belgium
                      • 
-            
                    • Belize
                      • 
-            
                    • Bermuda
                      • 
-            
                    • Benin
                      • 
-            
                    • Bhutan
                      • 
-            
                    • Bolivia
                      • 
-            
                    • Bonaire
                      • 
-            
                    • Botswana
                      • 
-            
                    • Brunei Darussalam
                      • 
-            
                    • Bulgaria
                      • 
-            
                    • Burundi
                      • 
-            
                    • Cambodia
                      • 
-            
                    • Cameroon
                      • 
-            
                    • Canada
                      • 
-            
                    • Cayman Islands
                      • 
-            
                    • Chile
                      • 
-            
                    • Colombia
                      • 
-            
                    • Comoros
                      • 
-            
                    • Costa Rica
                      • 
-            
                    • Côte D'ivoire
                      • 
-            
                    • Croatia
                      • 
-            
                    • Curçao
                      • 
-            
                    • Cyprus
                      • 
-            
                    • Czech Republic
                      • 
-            
                    • Denmark
                      • 
-            
                    • Dominican Republic
                      • 
-            
                    • Ecuador
                      • 
-        
                    
-                         		
-        
                       
-            
                    • Egypt
                      • 
-            
                    • El Salvador
                      • 
-            
                    • Estonia
                      • 
-            
                    • Ethiopia
                      • 
-            
                    • Faroe Islands
                      • 
-            
                    • Fiji
                      • 
-            
                    • Finland
                      • 
-            
                    • France
                      • 
-            
                    • French Guiana
                      • 
-            
                    • French Polynesia
                      • 
-            
                    • Germany
                      • 
-            
                    • Ghana
                      • 
-            
                    • Greece
                      • 
-            
                    • Greenland
                      • 
-            
                    • Guadeloupe
                      • 
-            
                    • Guatemala
                      • 
-            
                    • Honduras
                      • 
-            
                    • Hong Kong SAR
                      • 
-            
                    • Hungary
                      • 
-            
                    • Iceland
                      • 
-            
                    • Indonesia
                      • 
-            
                    • Iraq
                      • 
-            
                    • Ireland
                      • 
-            
                    • Israel
                      • 
-            
                    • Italy
                      • 
-            
                    • Jamaica
                      • 
-            
                    • Japan
                      • 
-            
                    • Jersey
                      • 
-            
                    • Jordan
                      • 
-            
                    • Kenya
                      • 
-            
                    • Kuwait
                      • 
-            
                    • Laos
                      • 
-            
                    • Latvia
                      • 
-            
                    • Lebanon
                      • 
-            
                    • Libya
                      • 
-            
                    • Liechtenstein
                      • 
-            
                    • Lithuania
                      • 
-            
                    • Luxembourg
                      • 
-            
                    • Macedonia
                      • 
-            
                    • Madagascar
                      • 
-        
                    
-                        		
-        
                      
-            
                    • Malawi
                      • 
-            
                    • Malaysia
                      • 
-            
                    • Maldives
                      • 
-            
                    • Mali
                      • 
-            
                    • Malta
                      • 
-            
                    • Marshall Islands
                      • 
-            
                    • Martinique
                      • 
-            
                    • Mauritius
                      • 
-            
                    • Mayotte
                      • 
-            
                    • Mexico
                      • 
-            
                    • Mongolia
                      • 
-            
                    • Montenegro
                      • 
-            
                    • Morocco
                      • 
-            
                    • Mozambique
                      • 
-            
                    • Myanamar
                      • 
-            
                    • Namibia
                      • 
-            
                    • Nepal
                      • 
-            
                    • Netherlands
                      • 
-            
                    • New Caledonia
                      • 
-            
                    • New Zealand
                      • 
-            
                    • Nicaragua
                      • 
-            
                    • Nigeria
                      • 
-            
                    • Norway
                      • 
-            
                    • Oman
                      • 
-            
                    • Pakistan
                      • 
-            
                    • Palestinian Authority
                      • 
-            
                    • Panama
                      • 
-            
                    • Papua New Guinea
                      • 
-            
                    • Paraguay
                      • 
-            
                    • Peru
                      • 
-            
                    • Philippines
                      • 
-            
                    • Poland
                      • 
-            
                    • Portugal
                      • 
-            
                    • Qatar
                      • 
-            
                    • Republic of Cabo Verde
                      • 
-            
                    • Reunion
                      • 
-            
                    • Romania
                      • 
-            
                    • Rwanda
                      • 
-            
                    • Saint Kitts and Nevis
                      •  
-        
                    
-                        		
-        
                      
-            
                    • Saint Lucia
                      • 
-            
                    • Saint Martin
                      • 
-            
                    • Saint Vincent and the Grenadines
                      • 
-            
                    • San marino
                      • 
-            
                    • Saudi Arabia
                      • 
-            
                    • Senegal
                      • 
-            
                    • Serbia
                      • 
-            
                    • Seychelles
                      • 
-            
                    • Singapore
                      • 
-            
                    • Sint Maarten
                      • 
-            
                    • Slovakia
                      • 
-            
                    • Slovenia
                      • 
-            
                    • South Africa
                      • 
-            
                    • Spain
                      • 
-            
                    • Sri Lanka
                      • 
-            
                    • Suriname
                      • 
-            
                    • Sweden
                      • 
-            
                    • Switzerland
                      • 
-            
                    • Tanzania
                      • 
-            
                    • Thailand
                      • 
-            
                    • Timor-Leste
                      • 
-            
                    • Togo
                      • 
-            
                    • Tonga
                      • 
-            
                    • Trinidad and Tobago
                      • 
-            
                    • Tunisia
                      • 
-            
                    • Turkey
                      • 
-            
                    • Turks and Caicos Islands
                      • 
-            
                    • Uganda
                      • 
-            
                    • United Arab Emirates
                      • 
-            
                    • United Kingdom
                      • 
-            
                    • United States
                      • 
-            
                    • Uruguay
                      • 
-            
                    • Vatican City
                      • 
-            
                    • Viet Nam
                      • 
-            
                    • Virgin Islands, U.S.
                      • 
-            
                    • Zambia
                      • 
-            
                    • Zimbabwe
                         

                      •         
                    
-    
                    
+
+- Afghanistan
+- Algeria
+- Andorra
+- Angola
+- Anguilla
+- Antigua and Barbuda
+- Argentina
+- Australia
+- Austria
+- Bahamas
+- Bahrain
+- Bangladesh
+- Barbados
+- Belgium
+- Belize
+- Bermuda
+- Benin
+- Bhutan
+- Bolivia
+- Bonaire
+- Botswana
+- Brunei Darussalam
+- Bulgaria
+- Burundi
+- Cambodia
+- Cameroon
+- Canada
+- Cayman Islands
+- Chile
+- Colombia
+- Comoros
+- Costa Rica
+- Côte D'ivoire
+- Croatia
+- Curçao
+- Cyprus
+- Czech Republic
+- Denmark
+- Dominican Republic
+- Ecuador
+- Egypt
+- El Salvador
+- Estonia
+- Ethiopia
+- Faroe Islands
+- Fiji
+- Finland
+- France
+- French Guiana
+- French Polynesia
+- Germany
+- Ghana
+- Greece
+- Greenland
+- Guadeloupe
+- Guatemala
+- Honduras
+- Hong Kong SAR
+- Hungary
+- Iceland
+- Indonesia
+- Iraq
+- Ireland
+- Israel
+- Italy
+- Jamaica
+- Japan
+- Jersey
+- Jordan
+- Kenya
+- Kuwait
+- Laos
+- Latvia
+- Lebanon
+- Libya
+- Liechtenstein
+- Lithuania
+- Luxembourg
+- Macedonia
+- Madagascar
+- Malawi
+- Malaysia
+- Maldives
+- Mali
+- Malta
+- Marshall Islands
+- Martinique
+- Mauritius
+- Mayotte
+- Mexico
+- Mongolia
+- Montenegro
+- Morocco
+- Mozambique
+- Myanamar
+- Namibia
+- Nepal
+- Netherlands
+- New Caledonia
+- New Zealand
+- Nicaragua
+- Nigeria
+- Norway
+- Oman
+- Pakistan
+- Palestinian Authority
+- Panama
+- Papua New Guinea
+- Paraguay
+- Peru
+- Philippines
+- Poland
+- Portugal
+- Qatar
+- Republic of Cabo Verde
+- Reunion
+- Romania
+- Rwanda
+- Saint Kitts and Nevis
+- Saint Lucia
+- Saint Martin
+- Saint Vincent and the Grenadines
+- San marino
+- Saudi Arabia
+- Senegal
+- Serbia
+- Seychelles
+- Singapore
+- Sint Maarten
+- Slovakia
+- Slovenia
+- South Africa
+- Spain
+- Sri Lanka
+- Suriname
+- Sweden
+- Switzerland
+- Tanzania
+- Thailand
+- Timor-Leste
+- Togo
+- Tonga
+- Trinidad and Tobago
+- Tunisia
+- Turkey
+- Turks and Caicos Islands
+- Uganda
+- United Arab Emirates
+- United Kingdom
+- United States
+- Uruguay
+- Vatican City
+- Viet Nam
+- Virgin Islands, U.S.
+- Zambia
+- Zimbabwe
+
 
 ### Support for free apps
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 3983d8787c..0bfd675b91 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting.
 
 2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
 
-   
-   -   -   -   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
                    



                    SettingDescription
                    ReportingEnabled
                    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
                    ReportingServerURL
                    Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
                    
-   
                    
-   Note
                    This is the port number that was assigned during the Reporting Server setup
                    
-   
                    
-   
                    
-
-   
                    Reporting Start Time
                    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
                    ReportingRandomDelay
                    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
                    ReportingInterval
                    Specifies the retry interval that the client will use to resend data to the reporting server.
                    ReportingDataCacheLimit
                    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
                    ReportingDataBlockSize
                    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
                    
-
-
+|Setting|Description|
+|--- |--- |
+|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.|
+|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
                     **Note:** 
                    This is the port number that was assigned during the Reporting Server setup|
+|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.|
+|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.|
+|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.|
+|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
+|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
 
 3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.
 
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 88a684ce46..1582199d12 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -69,28 +69,10 @@ This topic explains the following procedures:
 
 2.  Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
                    



                    CmdletExamples
                    Enable-AppVClientConnectionGroup
                    Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
                    Disable-AppVClientConnectionGroup
                    Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
                    
+|Cmdlet|Examples|
+|--- |--- |
+|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
 
 ## To allow only administrators to enable connection groups
 
@@ -102,33 +84,9 @@ This topic explains the following procedures:
 
 2.  Run the following cmdlet and parameter:
 
-    
-    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
                    




                    CmdletParameter and valuesExample
                    Set-AppvClientConfiguration
                    -RequirePublishAsAdmin
                    
-    
                      
-    
                    • 0 - False
                      • 
-    
                    • 1 - True
                      • 
-    
                    Set-AppvClientConfiguration -RequirePublishAsAdmin 1
                    
-
- 
+|Cmdlet|Parameter and values|Example|
+|--- |--- |--- |
+|Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index bfbd7fe594..e51947b121 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -23,51 +23,16 @@ Connection groups enable the applications within a package to interact with each
 In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
 
 **In this section:**
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    About the Connection Group Virtual Environment
                    Describes the connection group virtual environment.
                    About the Connection Group File
                    Describes the connection group file.
                    How to Create a Connection Group
                    Explains how to create a new connection group.
                    How to Create a Connection Group with User-Published and Globally Published Packages
                    Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
                    How to Delete a Connection Group
                    Explains how to delete a connection group.
                    How to Publish a Connection Group
                    Explains how to publish a connection group.
                    How to Make a Connection Group Ignore the Package Version
                    Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
                    How to Allow Only Administrators to Enable Connection Groups
                    Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
                    
-
- 
-
-
-
+|||
+|--- |--- |
+|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
+|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|
+|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.|
+|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.|
+|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.|
+|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.|
+|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.|
+[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 894d080a23..7d268f0f29 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain
 
 You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    New in App-V for Windows clientPrior to App-V for Windows 10
                    New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
                    
-
                      
-
                    • environment variables
                      • 
-
                    • shortcuts
                      • 
-
                    • file type associations
                      • 
-
                    • registry information
                      • 
-
                    • scripts
                      • 
-
                    
-
                    You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.
                    Registry information and scripts included in .osd files associated with a package were not included in package converter output.
                    
-
                    The package converter would populate the new package with information from all of the .osd files in the source directory.
                    
-
- 
+|New in App-V for Windows client|Prior to App-V for Windows 10|
+|--- |--- |
+|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
                  • environment variables
                  • shortcuts
                  • file type associations
                  • registry information
                  • scripts
                     
                    You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
                     
                    The package converter would populate the new package with information from all of the .osd files in the source directory.|
 
 ### Example conversion statement
 
@@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 
 **In the above example:**
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    These Source directory files……are converted to these Destination directory files……and will contain these itemsDescription
                      
-
                    • X.osd
                      • 
-
                    • Y.osd
                      • 
-
                    • Z.osd
                      • 
-
                      
-
                    • X_Config.xml
                      • 
-
                    • Y_Config.xml
                      • 
-
                    • Z_Config.xml
                      • 
-
                      
-
                    • Environment variables
                      • 
-
                    • Shortcuts
                      • 
-
                    • File type associations
                      • 
-
                    • Registry information
                      • 
-
                    • Scripts
                      • 
-
                    Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
                    
-
                    In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.
                      
-
                    • X.osd
                      • 
-
                    • Y.osd
                      • 
-
                      
-
                    • ContosoApp.appv
                      • 
-
                    • ContosoApp_DeploymentConfig.xml
                      • 
-
                    • ContosoApp_UserConfig.xml
                      • 
-
                      
-
                    • Environment variables
                      • 
-
                    • Shortcuts
                      • 
-
                    • File type associations
                      • 
-
                    The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                    
-
                    In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.
                    
-
- 
+|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
+|--- |--- |--- |--- |
+|
                  • X.osd
                  • Y.osd
                  • Z.osd|
                  • X_Config.xml
                  • Y_Config.xml
                  • Z_Config.xml|
                  • Environment variables:
                  • Shortcuts
                  • File type associations
                  • Registry information
                  • Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
                    In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
+|
                  • X.osd
                  • Y.osd|
                  • ContosoApp.appv 
                  • ContosoApp_DeploymentConfig.xml  
                  • ContosoApp_UserConfig.xml|
                  • Environment variables
                  • Shortcuts
                  • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                    In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
 
 ## Converting packages created using a prior version of App-V
 
@@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo
 
 **What to know before you convert existing packages**
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    IssueWorkaround
                    Virtual packages using DSC are not linked after conversion.
                    Link the packages using connection groups. See Managing Connection Groups.
                    Environment variable conflicts are detected during conversion.
                    Resolve any conflicts in the associated .osd file.
                    Hard-coded paths are detected during conversion.
                    Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.
                    
-
- 
+|Issue|Workaround|
+|--- |--- |
+|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
+|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
+|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
 
 When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
 
@@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende
 
 There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    TaskMore Information
                    Review prerequisites.
                    App-V Server prerequisite software.
                    Enable the App-V client.
                    Enable the App-V desktop client.
                    Install App-V Server.
                    How to Deploy the App-V Server.
                    Migrate existing packages.
                    See Converting packages created using a prior version of App-V earlier in this topic.
                    
-
-
-
+|Task|More Information|
+|--- |--- |
+|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
+|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
+|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
+|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 

From 52274168c542308b214134e4ecae7f569272ca5b Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 16:55:31 +0530
Subject: [PATCH 09/46] Suggestions and fixes

---
 .../enterprise-mode-schema-version-1-guidance.md               | 3 ++-
 .../enterprise-mode-schema-version-2-guidance.md               | 2 +-
 education/windows/deploy-windows-10-in-a-school-district.md    | 2 +-
 .../app-v/appv-managing-connection-groups.md                   | 1 +
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index adf856e767..606544f58d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -64,6 +64,7 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
 
 ### Schema elements
 This table includes the elements used by the Enterprise Mode schema.
+
 |Element |Description  |Supported browser  |
 |---------|---------|---------|
 |<rules>   | Root node for the schema.
                    **Example** 
                    <rules version="205"> 
                      <emie> 
                       <domain>contoso.com</domain> 
                      </emie>
                     </rules> |Internet Explorer 11 and Microsoft Edge         |
@@ -78,7 +79,7 @@ This table includes the attributes used by the Enterprise Mode schema.
 |Attribute|Description|Supported browser|
 |--- |--- |--- |
 |version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
-|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
 |docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
                     **Example**
                    <docMode> 
                      <domain exclude="false">fabrikam.com 
                        <path docMode="9">/products</path>
                      </domain>
                    </docMode>|Internet Explorer 11|
 |doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
 |forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index d9e6edd663..a90c4220a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -109,7 +109,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio
 
 |Attribute|Description|Supported browser|
 |---------|---------|---------|
-|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
                    **Example**
                    <site url="contoso.com/travel">
                      <open-in allow-redirect="true">IE11 </open-in>
                    </site>
                     In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
                  • | Internet Explorer 11 and Microsoft Edge|
+|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
                    **Example**
                    <site url="contoso.com/travel">
                      <open-in allow-redirect="true">IE11 </open-in>
                    </site>
                     In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
                  • | Internet Explorer 11 and Microsoft Edge|
 |version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
 |url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
                     **Note**
                     Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
                     **Example**
                    <site url="contoso.com:8080">
                       <compat-mode>IE8Enterprise</compat-mode> 
                     <open-in>IE11</open-in>
                    </site>
                    In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 2572fe0140..0bff4be589 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1256,7 +1256,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 |Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
 |Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
 |Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  •  [Deploy and manage apps by using Microsoft Endpoint Configuration Manager]((#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager))||x|x|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
 |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
 |Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
 |Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index e51947b121..784f390319 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -23,6 +23,7 @@ Connection groups enable the applications within a package to interact with each
 In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
 
 **In this section:**
+
 |||
 |--- |--- |
 |[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|

From 7893f3048614984037eb0aee6cb2027c094d347f Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 17:01:44 +0530
Subject: [PATCH 10/46] Fixed suggestion

---
 .../app-v/appv-managing-connection-groups.md                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 784f390319..0f8cf76315 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -24,7 +24,7 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 **In this section:**
 
-|||
+|Links|Description|
 |--- |--- |
 |[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
 |[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|

From 84c016bb73246d98e7f4322f67079af4f68a3733 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 20:00:33 +0530
Subject: [PATCH 11/46] Fixing the space issue

---
 .../collect-data-using-enterprise-site-discovery.md           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 488c893951..1d27b32519 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -205,24 +205,28 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
 You can use both the WMI and XML settings individually or together:
 
 **To turn off Enterprise Site Discovery**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|Off|
 |Turn on Site Discovery XML output|Blank|
 
 **Turn on WMI recording only**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|On|
 |Turn on Site Discovery XML output|Blank|
 
 **To turn on XML recording only**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|Off|
 |Turn on Site Discovery XML output|XML file path|
  
 **To turn on both WMI and XML recording**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|On|

From 3542e8beb96bc0fd83e7c58bc959ddd7f1617516 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 10:08:29 -0500
Subject: [PATCH 12/46] Replaced 'X's in table with green checks

---
 ...ct-data-using-enterprise-site-discovery.md | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 1d27b32519..8cef068687 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br
 
 |Data point              |IE11 |IE10 |IE9  |IE8  |Description                                                             |
 |------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL                     |  X  |  X  |  X  |  X  |URL of the browsed site, including any parameters included in the URL.  |
-|Domain                  |  X  |  X  |  X  |  X  |Top-level domain of the browsed site.                                   |
-|ActiveX GUID            |  X  |  X  |  X  |  X  |GUID of the ActiveX controls loaded by the site.                        |
-|Document mode           |  X  |  X  |  X  |  X  |Document mode used by IE for a site, based on page characteristics.     |
-|Document mode reason    |  X  |  X  |     |     |The reason why a document mode was set by IE.                           |
-|Browser state reason    |  X  |  X  |     |     |Additional information about why the browser is in its current state. Also called, browser mode.           |
-|Hang count              |  X  |  X  |  X  |  X  |Number of visits to the URL when the browser hung.                      |
-|Crash count             |  X  |  X  |  X  |  X  |Number of visits to the URL when the browser crashed.                   |
-|Most recent navigation failure (and count) |  X  |  X  |  X  |  X  |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.  |
-|Number of visits        |  X  |  X  |  X  |  X  |Number of times a site has been visited.                                |
-|Zone                    |  X  |  X  |  X  |  X  |Zone used by IE to browse sites, based on browser settings.             |
+|URL                     |  ✔️  |  ✔️  |  ✔️  |  ✔️  |URL of the browsed site, including any parameters included in the URL.  |
+|Domain                  |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Top-level domain of the browsed site.                                   |
+|ActiveX GUID            |  ✔️  |  ✔️  |  ✔️  |  ✔️  |GUID of the ActiveX controls loaded by the site.                        |
+|Document mode           |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Document mode used by IE for a site, based on page characteristics.     |
+|Document mode reason    |  ✔️  |  ✔️  |     |     |The reason why a document mode was set by IE.                           |
+|Browser state reason    |  ✔️  |  ✔️  |     |     |Additional information about why the browser is in its current state. Also called, browser mode.           |
+|Hang count              |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of visits to the URL when the browser hung.                      |
+|Crash count             |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of visits to the URL when the browser crashed.                   |
+|Most recent navigation failure (and count) |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.  |
+|Number of visits        |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of times a site has been visited.                                |
+|Zone                    |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Zone used by IE to browse sites, based on browser settings.             |
 
 
 >**Important**
                    By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.

From ff56bb42494b29b0795774a369dd24b57d7cf526 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 10:15:20 -0500
Subject: [PATCH 13/46] Replaced 'X's with checks

---
 .../windows/chromebook-migration-guide.md     | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index af0ea18ce1..a0e4bd59ee 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -356,12 +356,12 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
 
 |If you plan to...|On-premises AD DS|Azure AD|Hybrid|
 |--- |--- |--- |--- |
-|Use Office 365||X|X|
-|Use Intune for management||X|X|
-|Use Microsoft Endpoint Manager for management|X||X|
-|Use Group Policy for management|X||X|
-|Have devices that are domain-joined|X||X|
-|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||X|X|
+|Use Office 365||✔️|✔️|
+|Use Intune for management||✔️|✔️|
+|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Group Policy for management|✔️||✔️|
+|Have devices that are domain-joined|✔️||✔️|
+|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
 
 ### 
 
@@ -377,15 +377,15 @@ Table 6. Device, user, and app management products and technologies
 
 |Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
 |--- |--- |--- |--- |--- |--- |--- |
-|Deploy operating system images|X||X||X||
-|Deploy apps during operating system deployment|X||X||X||
-|Deploy apps after operating system deployment|X|X|X||||
-|Deploy software updates during operating system deployment|||X||X||
-|Deploy software updates after operating system deployment|X|X|X|X||X|
-|Support devices that are domain-joined|X|X|X|X|X||
-|Support devices that are not domain-joined|X|||X|X||
-|Use on-premises resources|X|X|X||X||
-|Use cloud-based services||||X|||
+|Deploy operating system images|✔️||✔️||✔️||
+|Deploy apps during operating system deployment|✔️||✔️||✔️||
+|Deploy apps after operating system deployment|✔️|✔️|✔️||||
+|Deploy software updates during operating system deployment|||✔️||✔️||
+|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
+|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
+|Support devices that are not domain-joined|✔️|||✔️|✔️||
+|Use on-premises resources|✔️|✔️|✔️||✔️||
+|Use cloud-based services||||✔️|||
 
 You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 

From 8cb8ff422acbea62c0ca47d61409e466dd4ce30c Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 21:08:05 +0530
Subject: [PATCH 14/46] Fixing spaces!

---
 education/windows/chromebook-migration-guide.md             | 3 +++
 education/windows/deploy-windows-10-in-a-school-district.md | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index a0e4bd59ee..66569c4674 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -135,6 +135,7 @@ Table 2. Settings in the Device Management node in the Google Admin Console
 Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
 
 Table 3. Settings in the Security node in the Google Admin Console
+
 |Section|Settings|
 |--- |--- |
 |Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                     Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
@@ -463,6 +464,7 @@ It is important that you perform AD DS and Azure AD services deployment or remed
 In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
 
 Table 8. AD DS, Azure AD and deployment resources
+
 |Product or technology|Resources|
 |--- |--- |
 |AD DS| 
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
@@ -497,6 +499,7 @@ In the [Plan for app migration or replacement](#plan-app-migrate-replace) sectio
 In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
 
 Table 10. Management systems and app deployment resources
+
 |Management system|Resources|
 |--- |--- |
 |Group Policy| 
                  •  [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) 
                  •  [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) 
                  •  [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 0bff4be589..63f897395a 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -838,6 +838,7 @@ This guide discusses thick image deployment. For information about thin image de
 
 ### Select a method to initiate deployment
 The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
+
 |Method|Description and reason to select this method|
 |--- |--- |
 |Windows Deployment Services|This method:
                  • Uses diskless booting to initiate LTI and ZTI deployments.
                  • Works only with devices that support PXE boot.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when you use local media.
                  • Requires that you deploy a Windows Deployment Services server.

                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
@@ -856,6 +857,7 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
 ### Configure the MDT deployment share
 
 The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
+
 |Task|Description|
 |--- |--- |
 |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
@@ -1247,6 +1249,7 @@ After the initial deployment, you need to perform certain tasks to maintain the
 - **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
 
 Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
 |Task and resources|Monthly|New semester or academic year|As required|
 |--- |--- |--- |--- |
 |Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|

From bbd31a4d71b0dacf37c50aefcb8eb173a718c978 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 12:06:56 -0500
Subject: [PATCH 15/46] Updated links; Replaced 'x's with check marks

---
 .../deploy-windows-10-in-a-school-district.md | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 63f897395a..10787af567 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -83,7 +83,7 @@ This district configuration has the following characteristics:
 
 * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 
-* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
 
 * Each device supports a one-student-per-device or multiple-students-per-device scenario.
 
@@ -128,7 +128,7 @@ Office 365 Education allows:
 
 * Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
 
-For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
 
 ### How to configure a district
 
@@ -439,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -451,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
 > [!NOTE]
 > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
 
-By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 |Action |Windows PowerShell command|
 |-------|--------------------------|
@@ -470,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
 > [!NOTE]
 > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
 
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 |Action |Windows PowerShell command|
 |-------|--------------------------|
@@ -691,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
 
 The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
 
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
 
 > [!NOTE]
 > If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@@ -705,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
 > [!NOTE]
 > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
 
-For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
 You can add and remove users from security groups at any time.
 
@@ -722,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
 > Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
 
 
-For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
 #### Summary
 
@@ -1252,21 +1252,21 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 
 |Task and resources|Monthly|New semester or academic year|As required|
 |--- |--- |--- |--- |
-|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|
-|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|x|x|x|
-|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|x|x|x|
-|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|x|x|x|
-|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
-|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
-|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
-|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
-|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
-|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
-|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US)
                  • Manage group membership, see [Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).||x|x|
-|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).||x|x|
-|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||x|
+|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
+|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
+|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
+|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                  •  Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
                  • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
+|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️|
 
 *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
 
@@ -1285,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
 * [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
 * [Reprovision devices at the end of the school year (video)](./index.md)
 * [Use MDT to deploy Windows 10 in a school (video)](./index.md)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
\ No newline at end of file
+* [Use Microsoft Store for Business in a school environment (video)](./index.md)

From ae889384513822443bcc1ad6f99cef3453b74593 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Tue, 9 Nov 2021 11:55:47 -0800
Subject: [PATCH 16/46] Create whats-new-windows-10-2021.md

---
 .../ltsc/whats-new-windows-10-2021.md         | 659 ++++++++++++++++++
 1 file changed, 659 insertions(+)
 create mode 100644 windows/whats-new/ltsc/whats-new-windows-10-2021.md

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
new file mode 100644
index 0000000000..339e781039
--- /dev/null
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -0,0 +1,659 @@
+---
+title: What's new in Windows 10 Enterprise LTSC 2021
+ms.reviewer: 
+manager: dougeby
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise LTSC 2021
+
+**Applies to**
+-   Windows 10 Enterprise LTSC 2021
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 21H2. 
+
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
+- Advanced protection against modern security threats 
+- Full flexibility of OS deployment
+- Updating and support options
+- Comprehensive device and app management and control capabilities
+
+The Windows 10 Enterprise LTSC 2021 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+
+>[!IMPORTANT]
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+## Microsoft Intune
+
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+
+## Security
+
+This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
+
+### Threat protection
+
+#### Microsoft Defender for Endpoint
+
+The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
+
+![Microsoft Defender for Endpoint.](../images/wdatp.png)
+
+##### Attack surface reduction 
+
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
+
+- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+
+- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+###### Windows Defender Firewall 
+
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
+
+##### Windows Defender Device Guard
+
+[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: 
+- Software-based protection provided by code integrity policies 
+- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
+
+But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). 
+
+### Next-gen protection 
+
+### Endpoint detection and response 
+
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. 
+
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint.  Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). 
+
+We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
+
+- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
+- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
+
+Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
+
+New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
+
+- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+
+We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
+
+**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
+
+- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+
+- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+
+- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
+
+- Upgraded detections of ransomware and other advanced attacks.
+
+- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+
+**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+
+- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+
+Additional capabilities have been added to help you gain a holistic view on **investigations** include:
+
+- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+
+- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+
+- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+
+- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+
+- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
+
+Other enhanced security features include:
+
+- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
+
+- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
+
+- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
+
+- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+
+- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+
+We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
+
+You can read more about ransomware mitigations and detection capability at:
+
+- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
+
+Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+
+Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+
+
+### Information protection 
+
+Improvements have been added to Windows Information Protection and BitLocker. 
+
+#### Windows Information Protection
+
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
+
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
+
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+
+### BitLocker
+
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. 
+
+This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. 
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+#### Delivering BitLocker policy to AutoPilot devices during OOBE 
+
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+To achieve this:
+
+1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
+
+2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
+
+   > [!IMPORTANT]
+   > The encryption policy must be assigned to **devices** in the group, not users.
+
+3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+
+   > [!IMPORTANT]
+   > If the ESP is not enabled, the policy will not apply before encryption starts.
+
+### Identity protection
+
+Improvements have been added are to Windows Hello for Business and Credential Guard.
+
+#### Windows Hello for Business
+
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
+
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: 
+
+- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
+
+- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
+
+[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). 
+
+- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+
+- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+
+- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+
+- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+
+- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
+ 
+For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+
+#### Windows Defender Credential Guard
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. 
+
+> [!NOTE]
+> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
+
+For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+
+### Other security improvements
+
+#### Windows security baselines
+
+Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+
+**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+
+The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. 
+
+#### SMBLoris vulnerability
+
+An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
+
+#### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**. 
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. 
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. 
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+![Security at a glance.](../images/defender.png "Windows Security Center")
+
+#### Group Policy Security Options
+
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+
+#### Windows 10 in S mode
+
+We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
+
+![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+
+#### Autopilot Reset	
+
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
+
+### MBR2GPT.EXE
+
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+
+Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
+
+### DISM
+
+The following new DISM commands have been added to manage feature updates:
+
+- **DISM /Online /Initiate-OSUninstall**
+  - Initiates an OS uninstall to take the computer back to the previous installation of windows.
+
+- **DISM /Online /Remove-OSUninstall**
+  - Removes the OS uninstall capability from the computer.
+
+- **DISM /Online /Get-OSUninstallWindow**
+  - Displays the number of days after upgrade during which uninstall can be performed.
+
+- **DISM /Online /Set-OSUninstallWindow**
+  - Sets the number of days after upgrade during which uninstall can be performed.
+
+For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+
+### Windows Setup
+
+You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
+
+Prerequisites:  
+- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
+- Windows 10 Enterprise or Pro
+
+For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+
+It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+
+`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
+
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
+
+New command-line switches are also available to control BitLocker:
+
+- **Setup.exe /BitLocker AlwaysSuspend**
+  - Always suspend BitLocker during upgrade.
+
+- **Setup.exe /BitLocker TryKeepActive**
+  - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
+
+- **Setup.exe /BitLocker ForceKeepActive**
+  - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
+
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
+
+### Feature update improvements
+
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+
+### SetupDiag
+
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+
+SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
+
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
+
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+![Sign-in option.](../images/websignin.png "web sign-in")
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+### Device Health
+
+Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
+
+## Accessibility and Privacy
+
+### Accessibility
+
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
+
+### Privacy
+
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. 
+
+## Configuration
+
+### Kiosk configuration
+
+The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10.  You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
+
+Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+
+If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. 
+
+### Co-management
+
+Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+
+For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
+
+### OS uninstall period
+
+The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update.  With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
+
+### Azure Active Directory join in bulk
+
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+
+![get bulk token action in wizard.](../images/bulk-token.png)
+
+### Windows Spotlight
+
+The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+
+- **Turn off the Windows Spotlight on Action Center**
+- **Do not use diagnostic data for tailored experiences**
+- **Turn off the Windows Welcome Experience**
+
+[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
+
+### Start and taskbar layout
+
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
+
+[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+
+- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
+
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
+
+## Windows Update
+
+### Windows Insider for Business
+
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+
+
+### Optimize update delivery
+
+With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
+
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+
+Added policies include:
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
+
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
+
+### Uninstalled in-box apps no longer automatically reinstall
+
+Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
+
+## Management
+
+### New MDM capabilities
+
+Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
+
+Some of the other new CSPs are:
+
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+
+- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
+
+- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
+
+- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+
+- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
+
+- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+
+[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019.
+
+For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
+
+### MDM diagnostics
+
+In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+
+### Application Virtualization for Windows (App-V)
+
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
+- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
+
+### Group Policy spreadsheet
+
+Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
+
+- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
+
+### Mixed Reality Apps
+
+This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
+
+## Networking
+
+### Network stack
+
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+
+### Miracast over Infrastructure
+
+In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
+
+#### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+#### Miracast over Infrastructure offers a number of benefits
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+#### Enabling Miracast over Infrastructure
+
+If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
+
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+> [!IMPORTANT]
+> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+![Reg editor.](../images/regeditor.png "Registry editor dropdown")
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
+
+- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+
+- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+See the following example:
+
+![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
+![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.

From 3ac8fbe42eac3788266aa3a240ca3bb51091e92c Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Tue, 9 Nov 2021 13:56:31 -0800
Subject: [PATCH 17/46] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 694 ++++--------------
 1 file changed, 152 insertions(+), 542 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 339e781039..cf66abe26c 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -18,10 +18,10 @@ ms.topic: article
 **Applies to**
 -   Windows 10 Enterprise LTSC 2021
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 21H2. 
+>Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
 
 Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
 - Advanced protection against modern security threats 
@@ -29,630 +29,240 @@ Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding p
 - Updating and support options
 - Comprehensive device and app management and control capabilities
 
-The Windows 10 Enterprise LTSC 2021 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
->[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+> [!IMPORTANT]
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-## Microsoft Intune
+## Lifecycle
 
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle. For more information, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+
+## Microsoft Edge
+
+Microsoft Edge Browser support is now included in-box.
+
+### Microsoft Edge kiosk mode
+
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+
+Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+
+Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+
+## Windows Subsystem for Linux
+
+Windows Subsystem for Linux (WSL) is be available in-box.
+
+## Networking
+
+WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## Security
 
-This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
-
-### Threat protection
-
-#### Microsoft Defender for Endpoint
-
-The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
-
-![Microsoft Defender for Endpoint.](../images/wdatp.png)
-
-##### Attack surface reduction 
-
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
-
-- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
-
-- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
-
-###### Windows Defender Firewall 
-
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
-
-##### Windows Defender Device Guard
-
-[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: 
-- Software-based protection provided by code integrity policies 
-- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
-
-But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). 
-
-### Next-gen protection 
-
-### Endpoint detection and response 
-
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. 
-
-Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint.  Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). 
-
-We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
-
-- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
-- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
-- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
-- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
-- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
-
-Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
-
-New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
-
-- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
-- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
-
-We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
-
-**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-
-- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
-
-- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
-
-- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
-
-- Upgraded detections of ransomware and other advanced attacks.
-
-- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
-
-**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
-- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-
-Additional capabilities have been added to help you gain a holistic view on **investigations** include:
-
-- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
-- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-
-- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
-
-- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-
-- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
-
-- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
-
-Other enhanced security features include:
-
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-
-- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-
-- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
-
-- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
-
-- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
-
-- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-
-- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
-
-We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
-
-We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
-
-This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-
-- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
-
-Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-
-Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-
-
-### Information protection 
-
-Improvements have been added to Windows Information Protection and BitLocker. 
-
-#### Windows Information Protection
-
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
-
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
-
-This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
-
-### BitLocker
-
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
-
-#### Silent enforcement on fixed drives
-
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. 
-
-This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. 
-
-This feature will soon be enabled on Olympia Corp as an optional feature.
-
-#### Delivering BitLocker policy to AutoPilot devices during OOBE 
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
-
-2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
-
-   > [!IMPORTANT]
-   > The encryption policy must be assigned to **devices** in the group, not users.
-
-3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
-
-   > [!IMPORTANT]
-   > If the ESP is not enabled, the policy will not apply before encryption starts.
-
-### Identity protection
-
-Improvements have been added are to Windows Hello for Business and Credential Guard.
-
-#### Windows Hello for Business
-
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
-
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: 
-
-- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
-- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
-
-- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-
-[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). 
-
-- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
-
-- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
-
-- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-
-- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
-
-- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
- 
-For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+### Windows Hello
+
+- Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes.
+- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
+- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+### Windows Information Protection
 
 #### Windows Defender Credential Guard
 
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. 
+#### Microsoft Defender for Endpoint
 
-> [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
+- [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). 
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+    - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
 
-For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
+- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
 
-### Other security improvements
+Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
 
-#### Windows security baselines
+### Threat Protection
 
-Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+#### Windows Defender Application Guard (WDAG)
 
-The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. 
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-#### SMBLoris vulnerability
+    To try this extension: 
+    1. Configure WDAG policies on your device.
+    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
+    3. Follow any additional configuration steps on the extension setup page.
+    4. Reboot the device.
+    5. Navigate to an untrusted site in Chrome and Firefox.
 
-An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
+  - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-#### Windows Security Center
+WDAG performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
+- The performance of Robocopy is improved when copying files over 400 MB in size.
 
-Windows Defender Security Center is now called **Windows Security Center**. 
+[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. 
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. 
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
-WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+#### Windows Defender System Guard
 
-![Security at a glance.](../images/defender.png "Windows Security Center")
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
 
-#### Group Policy Security Options
+This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+![System Guard.](images/system-guard.png "SMM Firmware Measurement")
 
-A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-#### Windows 10 in S mode
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
-We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
+ ![System Guard.](images/system-guard2.png)
 
-![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+### Security management
+
+- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. 
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
+- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
+
+#### Microsoft BitLocker
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+#### Key-rolling and Key-rotation
+
+Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
+#### Transport Layer Security (TLS)
+
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
 
 ## Deployment
 
 ### Windows Autopilot
 
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
 
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
+- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
 
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
 
-#### Autopilot Reset	
+Enhancements to Windows Autopilot since the last release of Windows 10 include:
+- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
+- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
 
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
+A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
 
-### MBR2GPT.EXE
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
 
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
 
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+## Microsoft Intune
 
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-
-### DISM
-
-The following new DISM commands have been added to manage feature updates:
-
-- **DISM /Online /Initiate-OSUninstall**
-  - Initiates an OS uninstall to take the computer back to the previous installation of windows.
-
-- **DISM /Online /Remove-OSUninstall**
-  - Removes the OS uninstall capability from the computer.
-
-- **DISM /Online /Get-OSUninstallWindow**
-  - Displays the number of days after upgrade during which uninstall can be performed.
-
-- **DISM /Online /Set-OSUninstallWindow**
-  - Sets the number of days after upgrade during which uninstall can be performed.
-
-For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
-
-### Windows Setup
-
-You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-
-Prerequisites:  
-- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
-- Windows 10 Enterprise or Pro
-
-For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
-
-`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
-
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
-
-New command-line switches are also available to control BitLocker:
-
-- **Setup.exe /BitLocker AlwaysSuspend**
-  - Always suspend BitLocker during upgrade.
-
-- **Setup.exe /BitLocker TryKeepActive**
-  - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
-
-- **Setup.exe /BitLocker ForceKeepActive**
-  - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
-
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
-
-### Feature update improvements
-
-Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.2107.27002 (downloadable version) is available.
 
-SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
-## Sign-in
+### Reserved storage
 
-### Faster sign-in to a Windows 10 shared pc
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash!
 
-**To enable fast sign-in:**
+#### Microsoft Endpoint Manager
 
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
-3. Sign-in to a shared PC with your account. You'll notice the difference!
+Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
+        .
 
-   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
+### Windows Assessment and Deployment Toolkit (ADK)
 
-### Web sign-in to Windows 10
+A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
 
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+### Microsoft Deployment Toolkit (MDT)
 
-**To try out web sign-in:**
+MDT version 8456 supports Windows 10 Enterprise LTSC 2021.
 
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
 
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
+### Windows Setup
 
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
 
-![Sign-in option.](../images/websignin.png "web sign-in")
+Improvements in Windows Setup with this release also include:
+- Reduced offline time during feature updates
+- Improved controls for reserved storage
+- Improved controls and diagnostics
+- New recovery options
 
-## Windows Analytics
+For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-### Upgrade Readiness
 
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+## Device management
 
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
 
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
 
-For more information about Upgrade Readiness, see the following topics:
+Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
+- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
 
-- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
 
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
 
-### Update Compliance
 
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
 
-Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
 
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
 
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
 
-### Device Health
 
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
 
-## Accessibility and Privacy
 
-### Accessibility
 
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
 
-### Privacy
-
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. 
-
-## Configuration
-
-### Kiosk configuration
-
-The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10.  You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
-
-Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
-
-If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. 
-
-### Co-management
-
-Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-
-For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
-
-### OS uninstall period
-
-The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update.  With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
-
-### Azure Active Directory join in bulk
-
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-![get bulk token action in wizard.](../images/bulk-token.png)
-
-### Windows Spotlight
-
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
-
-- **Turn off the Windows Spotlight on Action Center**
-- **Do not use diagnostic data for tailored experiences**
-- **Turn off the Windows Welcome Experience**
-
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
-
-### Start and taskbar layout
-
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
-
-- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
-
-- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
-
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
-
-## Windows Update
-
-### Windows Insider for Business
-
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
-
-### Optimize update delivery
-
-With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-
->[!NOTE]
-> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
-
-Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
-
-### Uninstalled in-box apps no longer automatically reinstall
-
-Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
-
-## Management
-
-### New MDM capabilities
-
-Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
-
-Some of the other new CSPs are:
-
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
-
-- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-
-- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
-
-- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
-
-- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
-
-- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
-
-[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
-
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
-
-### Mobile application management support for Windows 10
-
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019.
-
-For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
-
-### MDM diagnostics
-
-In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
-
-### Application Virtualization for Windows (App-V)
-
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
-
-For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
-
-### Windows diagnostic data
-
-Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
-
-### Group Policy spreadsheet
-
-Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-
-### Mixed Reality Apps
-
-This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
-
-## Networking
-
-### Network stack
-
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
-
-### Miracast over Infrastructure
-
-In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
-
-#### How it works
-
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-
-#### Miracast over Infrastructure offers a number of benefits
-
-- Windows automatically detects when sending the video stream over this path is applicable.
-- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
-- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-
-#### Enabling Miracast over Infrastructure
-
-If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
-
-- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
-
-- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
-    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
-    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
-
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-> [!IMPORTANT]
-> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
-
-## Registry editor improvements
-
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
-![Reg editor.](../images/regeditor.png "Registry editor dropdown")
-
-## Remote Desktop with Biometrics
-
-Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
-
-- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
-
-- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
-
-See the following example:
-
-![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
-![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
 
 ## See Also
 

From 4987b40908562d19827cbcf60c36ae4960883226 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Tue, 9 Nov 2021 19:57:07 -0500
Subject: [PATCH 18/46] ado5562520 - What's new in Win10 21H2

---
 windows/whats-new/TOC.yml                     |  2 +
 .../whats-new-windows-10-version-21H2.md      | 75 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 windows/whats-new/whats-new-windows-10-version-21H2.md

diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index b7b6b4220a..176668f48e 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -14,6 +14,8 @@
 - name: Windows 10
   expanded: true
   items:
+    - name: What's new in Windows 10, version 21H2
+      href: whats-new-windows-10-version-21H2.md
     - name: What's new in Windows 10, version 21H1
       href: whats-new-windows-10-version-21H1.md
     - name: What's new in Windows 10, version 20H2
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
new file mode 100644
index 0000000000..97ff81229b
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -0,0 +1,75 @@
+---
+title: What's new in Windows 10, version 21H2 for IT pros
+description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+ms.reviewer: 
+manager: dougeby
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: mandia
+author: MandiOhlinger
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# What's new in Windows 10, version 21H2
+
+**Applies to**:
+
+- Windows 10, version 21H2
+
+Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
+
+Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
+
+- **Windows 10 Professional**: Serviced for 24 months from the release date.
+- **Windows 10 Enterprise**: Serviced for 36 months from the release date.
+
+Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2).
+
+Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791).
+
+To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Updates and servicing
+
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel, like Windows 11. Previous feature updates were installed using the semi-annual channel. Quality updates are still installed monthly on patch Tuesday.
+
+For more information, see:
+
+- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
+- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
+
+For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+
+## GPU compute support for the Windows Subsystem for Linux
+
+Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
+
+For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/).
+
+## Get the latest CSPs
+
+The [KB5005101  September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers.
+
+These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
+
+For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+## Apps appear local with Azure Virtual Desktop
+
+Azure virtual desktop is a Windows client OS hosted in the cloud, and it has virtual apps. The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+For more information, see:
+
+- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [Set up MSIX app attach with the Azure portal](azure/virtual-desktop/app-attach-azure-portal)
+
+## Wi-Fi 6E support
+
+Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth.
+
+## Related articles
+
+- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel)

From fe5e69e3996ea58953105ed0097a39367ad1a334 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 09:38:56 -0800
Subject: [PATCH 19/46] draft

---
 windows/whats-new/ltsc/TOC.yml  |  2 ++
 windows/whats-new/ltsc/index.md | 12 +++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml
index aaabcc56ee..d7d88350ef 100644
--- a/windows/whats-new/ltsc/TOC.yml
+++ b/windows/whats-new/ltsc/TOC.yml
@@ -1,6 +1,8 @@
 - name: Windows 10 Enterprise LTSC
   href: index.md
   items: 
+    - name: What's new in Windows 10 Enterprise LTSC 2021
+      href: whats-new-windows-10-2021.md
     - name: What's new in Windows 10 Enterprise LTSC 2019
       href: whats-new-windows-10-2019.md
     - name: What's new in Windows 10 Enterprise LTSC 2016
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 7e088e312d..70c1f327ba 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
-manager: laurawi
+manager: dougeby
 ms.localizationpriority: low
 ms.topic: article
 ---
@@ -22,6 +22,7 @@ ms.topic: article
 
 This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. 
 
+[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
@@ -35,14 +36,15 @@ The following table summarizes equivalent feature update versions of Windows 10
 | Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
 | Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
 | Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/16/2021 |
 
->[!NOTE]
->The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+> [!NOTE]
+> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
 
 With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. 
 
->[!IMPORTANT]
->The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
+> [!IMPORTANT]
+> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
  
 For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
 

From 9ad8b9ac6ee5b23cc6ff4d75d75a3333b9ecb5e5 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 10:09:29 -0800
Subject: [PATCH 20/46] draft

---
 windows/whats-new/ltsc/index.md                     |  2 +-
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 10 +++-------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 70c1f327ba..28bc3db429 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -36,7 +36,7 @@ The following table summarizes equivalent feature update versions of Windows 10
 | Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
 | Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
 | Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/13/2018 |
-| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/16/2021 |
+| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 21H2 | 11/16/2021 |
 
 > [!NOTE]
 > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index cf66abe26c..a9f5bb8a0a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -20,14 +20,10 @@ ms.topic: article
 
 This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
+> [!NOTE]
+> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
-- Advanced protection against modern security threats 
-- Full flexibility of OS deployment
-- Updating and support options
-- Comprehensive device and app management and control capabilities
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 

From 37e4ad909b96b9f66d017e373a4b3bbec7856b74 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 11:33:23 -0800
Subject: [PATCH 21/46] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 38 +++++++++----------
 1 file changed, 17 insertions(+), 21 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index a9f5bb8a0a..bf0312bdc1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -21,18 +21,22 @@ ms.topic: article
 This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 > [!NOTE]
-> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
+> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
-> [!IMPORTANT]
-> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+
 
 ## Lifecycle
 
-Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle. For more information, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+> [!IMPORTANT]
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle.
+
+For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 
 ## Microsoft Edge
 
@@ -80,7 +84,6 @@ WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 #### Microsoft Defender for Endpoint
 
-- [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). 
 - [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
 - [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
     - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
@@ -168,31 +171,24 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
 
 [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
 
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
 - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
 - [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
 - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-
-With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
-
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
-
-Enhancements to Windows Autopilot since the last release of Windows 10 include:
-- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
-- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot) is available. Co-management and Autopilot together can help you reduce cost and improve the end user experience.
 - Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
-
-A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
-
-A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
-
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
+- You can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support.
+- If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
 
 ## Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
+
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). 
+
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 ### SetupDiag

From 9f504d7ec7c81ed8deaf2fd984a92dbdcf0aaaaf Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 11:56:03 -0800
Subject: [PATCH 22/46] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 33 ++++---------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index bf0312bdc1..a5e38f6b4e 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -28,9 +28,6 @@ Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding p
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
-
-
-
 ## Lifecycle
 
 > [!IMPORTANT]
@@ -52,13 +49,7 @@ Digital/Interactive Signage experience - Displays a specific site in full-screen
 Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
 Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
-## Windows Subsystem for Linux
 
-Windows Subsystem for Linux (WSL) is be available in-box.
-
-## Networking
-
-WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## Security
 
@@ -193,15 +184,12 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.2107.27002 (downloadable version) is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
 ### Reserved storage
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-
 #### Microsoft Endpoint Manager
 
 Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
@@ -210,20 +198,17 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
 
 Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
         .
-
 ### Windows Assessment and Deployment Toolkit (ADK)
 
 A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
 
 ### Microsoft Deployment Toolkit (MDT)
 
-MDT version 8456 supports Windows 10 Enterprise LTSC 2021.
-
 For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
 
 ### Windows Setup
 
-Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have improved language handling.
 
 Improvements in Windows Setup with this release also include:
 - Reduced offline time during feature updates
@@ -233,7 +218,6 @@ Improvements in Windows Setup with this release also include:
 
 For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-
 ## Device management
 
 Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
@@ -243,18 +227,13 @@ For more information about what's new in MDM, see [What's new in mobile device e
 Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
 - An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
 
+## Windows Subsystem for Linux
 
+Windows Subsystem for Linux (WSL) is be available in-box.
 
+## Networking
 
-
-
-
-
-
-
-
-
-
+WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## See Also
 

From 3e7c7891222bd0bca533a779c43b6378a43f2ac5 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 13:44:02 -0800
Subject: [PATCH 23/46] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 25 +++++++++++--------
 .../whats-new-windows-10-version-1903.md      | 12 ++-------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index a5e38f6b4e..d7f40ea46a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -44,12 +44,9 @@ Microsoft Edge Browser support is now included in-box.
 Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
 
 Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
-
-Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
-Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
-Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
-
-
+- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
 ## Security
 
@@ -118,7 +115,7 @@ WDAG performance is improved with optimized document opening times:
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
@@ -130,13 +127,13 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-![System Guard.](images/system-guard.png "SMM Firmware Measurement")
+![System Guard.](../images/system-guard.png "SMM Firmware Measurement")
 
 In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
- ![System Guard.](images/system-guard2.png)
+ ![System Guard.](../images/system-guard2.png)
 
 ### Security management
 
@@ -160,7 +157,15 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
 
 ### Windows Autopilot
 
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
+[Windows Autopilot](/mem/autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019, LTSC 2021, and later versions. Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+
+The following new Windows Autopilot features are available in Windows 10, version 1903 and later:
 
 - [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
 - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 74eb1725e2..d8febd294c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -35,21 +35,13 @@ This article lists new and updated features and content that are of interest to
 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
 - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 
-### Windows 10 Subscription Activation
-
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
-
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
-
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
 ### Reserved storage
 
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
 ## Servicing
 

From 9d8b1febf59c5adaf409077e5e2d7f5276e5029e Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 14:05:46 -0800
Subject: [PATCH 24/46] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index d7f40ea46a..2755a7bb7a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -91,31 +91,31 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
 - [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
 - [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-#### Windows Defender Application Guard (WDAG)
+#### Microsoft Defender Application Guard
 
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+- [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
-    1. Configure WDAG policies on your device.
+    1. Configure Application Guard policies on your device.
     2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
     3. Follow any additional configuration steps on the extension setup page.
     4. Reboot the device.
     5. Navigate to an untrusted site in Chrome and Firefox.
 
-  - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-WDAG performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
+Application Guard performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
 - The performance of Robocopy is improved when copying files over 400 MB in size.
 
-[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+- [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.

From d2adee1dad0b862cc3783bd1ff3419d9c93ec762 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Wed, 10 Nov 2021 19:39:50 -0500
Subject: [PATCH 25/46] review updates

---
 windows/whats-new/whats-new-windows-10-version-21H2.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 97ff81229b..d251c2b75a 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -34,15 +34,15 @@ To learn more about the status of the November 2021 Update rollout, known issues
 
 ## Updates and servicing
 
-Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel, like Windows 11. Previous feature updates were installed using the semi-annual channel. Quality updates are still installed monthly on patch Tuesday.
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the semi-annual channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+
+Quality updates are still installed monthly on patch Tuesday.
 
 For more information, see:
 
 - [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
 - [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
 
-For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
-
 ## GPU compute support for the Windows Subsystem for Linux
 
 Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
@@ -64,7 +64,7 @@ Azure virtual desktop is a Windows client OS hosted in the cloud, and it has vir
 For more information, see:
 
 - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
-- [Set up MSIX app attach with the Azure portal](azure/virtual-desktop/app-attach-azure-portal)
+- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
 
 ## Wi-Fi 6E support
 

From 198c3dc60915e19487dc851203c10bdf489b0605 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Thu, 11 Nov 2021 18:10:20 -0500
Subject: [PATCH 26/46] Replacing semi-annual channel with general availability
 channel

---
 .../windows-10-deployment-considerations.md   |  47 +---
 .../windows-10-enterprise-faq-itpro.yml       |   2 +-
 windows/deployment/update/WIP4Biz-intro.md    |  10 +-
 .../get-started-updates-channels-tools.md     |   6 +-
 .../update/waas-manage-updates-wsus.md        |   2 +-
 windows/deployment/update/waas-overview.md    |  10 +-
 windows/deployment/update/waas-quick-start.md |  11 +-
 ...s-servicing-channels-windows-10-updates.md |   2 +-
 .../upgrade/windows-10-upgrade-paths.md       | 208 +++---------------
 windows/deployment/windows-10-media.md        |  33 +--
 .../windows-10-subscription-activation.md     |  43 +---
 .../demonstrate-deployment-on-vm.md           |   2 +-
 .../whats-new-windows-10-version-21H2.md      |   7 +-
 windows/whats-new/windows-11-whats-new.md     |   2 +-
 14 files changed, 75 insertions(+), 310 deletions(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 90d0c547cb..86d46e0b81 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -36,46 +36,13 @@ Windows 10 also introduces two additional scenarios that organizations should c
 
     So how do you choose? At a high level:
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Consider ...For these scenarios
                    In-place upgrade
                      
-
                    • When you want to keep all (or at least most) existing applications
                      • 
-
                    • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
                      • 
-
                    • To migrate from Windows 10 to a later Windows 10 release
                      • 
-
                    Traditional wipe-and-load
                      
-
                    • When you upgrade significant numbers of applications along with the new Windows OS
                      • 
-
                    • When you make significant device or operating system configuration changes
                      • 
-
                    • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
                      • 
-
                    • When you migrate from Windows Vista or other previous operating system versions
                      • 
-
                    Dynamic provisioning
                      
-
                    • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required
                      • 
-
                    • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps
                      • 
-
                    
+| Consider ... | For these scenarios  |
+|---|---|
+| In-place upgrade  | - When you want to keep all (or at least most) existing applications
                    - When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
                    - To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
                    - When you make significant device or operating system configuration changes
                    - When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
                    - When you migrate from Windows Vista or other previous operating system versions |
+| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required. 
                    - When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
+
 
- 
 ## Migration from previous Windows versions
 
 For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
@@ -105,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/get-started-updates-channels-tools.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
 -   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 8ca699331f..a8e1aa8c67 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -103,7 +103,7 @@ sections:
       - question: |
           What are the servicing channels?
         answer: |
-          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
+          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
           
       - question: |
           What tools can I use to manage Windows as a service updates?
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index ae8c69d273..66aea9952b 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -1,7 +1,7 @@
 ---
 title: Introduction to the Windows Insider Program for Business
 description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
 ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -22,7 +22,7 @@ ms.topic: article
 
 > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in theGeneral Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
 
 The Windows Insider Program for Business gives you the opportunity to:
  
@@ -35,7 +35,7 @@ The Windows Insider Program for Business gives you the opportunity to:
 
 Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. 
 
-The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
 
 [![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
                    
 Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. 
@@ -56,8 +56,8 @@ Along with exploring new features, you also have the option to validate your app
 - Get a head start on your Windows validation process 
 - Identify issues sooner to accelerate your Windows deployment 
 - Engage Microsoft earlier for help with potential compatibility issues 
-- Deploy Windows 10 Semi-Annual releases faster and more confidently 
-- Maximize the 18-month support Window that comes with each Semi-Annual release. 
+- Deploy Windows 10 General Availability Channel releases faster and more confidently 
+- Maximize the support Window that comes with each General Availability Channel release. 
 
 |Objective |Feature exploration|
 |---------|---------|
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index f1d6c2488e..a9cda4ed31 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,7 +1,7 @@
 ---
 title: Windows client updates, channels, and tools
 description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
@@ -35,7 +35,7 @@ version of the software.
 
 We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. 
 
-- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
+- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
 - **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
 - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
 - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
@@ -51,7 +51,7 @@ The first step of controlling when and how devices install updates is assigning
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
+In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
 
 
 ### Windows Insider Program for Business
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 8bfab4700e..ff3a2e85bf 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
 For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
 
 >[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](get-started-updates-channels-tools.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
 
 
 **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 5947bdc897..543f0e96db 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Overview of Windows as a service
 description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
@@ -90,9 +90,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are available as soon as Microsoft releases them. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
+In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
 
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
 
 
 > [!NOTE]
@@ -120,7 +120,7 @@ The Long-term Servicing Channel is available only in the Windows 10 Enterprise L
 
 ### Windows Insider
 
-For many IT pros, gaining visibility into feature updates early--before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
+For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
 
 Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started).
 
@@ -130,7 +130,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
 
 There are many tools you can use to service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
 
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
 - **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune.
 - **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. 
 - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index f9c793095d..9f6df39c19 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,14 +1,14 @@
 ---
 title: Quick guide to Windows as a service (Windows 10)
 description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
 ms.localizationpriority: high
 ms.author: jaimeo
 ms.reviewer: 
-manager: laurawi
+manager: dougeby
 ms.topic: article
 ---
 
@@ -25,12 +25,13 @@ Here is a quick guide to the most important concepts in Windows as a service. Fo
 ## Definitions
 
 Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
-- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+
+- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
 - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
 - **Servicing channels** allow organizations to choose when to deploy new features. 
-    - The **General Availability Channel** receives feature updates as they become available. 
-    - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+  - The **General Availability Channel** receives feature updates as they become available. 
+  - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. 
 
 See [Overview of Windows as a service](waas-overview.md) for more information.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index cbf9133ff3..65880f7388 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -43,7 +43,7 @@ The General Availability Channel is the default servicing channel for all Window
 >The LTSC edition is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
 >[!NOTE]
->Devices will automatically receive updates from the Semi-Annual Channel, unless they are configured to receive preview updates through the Windows Insider Program.
+>Devices will automatically receive updates from the General Availability Channel, unless they are configured to receive preview updates through the Windows Insider Program.
 
 
 ## Enroll devices in the Windows Insider Program
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index c50df27515..6e3a9935de 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -15,6 +15,7 @@ ms.topic: article
 ---
 
 # Windows 10 upgrade paths
+
 **Applies to**
 
 -   Windows 10
@@ -25,9 +26,9 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
 
-> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+> **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
 > 
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
 > 
 > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
 > 
@@ -36,180 +37,37 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
 ✔ = Full upgrade is supported including personal data, settings, and applications.
                    
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
 
-
                    
-
-    
-        
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
                           Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 Enterprise
                    Windows 7
                    Starter
                    Home Basic
                    Home Premium
                    ProfessionalD
                    UltimateD
                    Enterprise
                    Windows 8.1
                    (Core)
                    Connected
                    ProD
                    Pro StudentD
                    Pro WMCD
                    Enterprise
                    Embedded Industry
                    Windows RT
                    Windows Phone 8.1
                    Windows 10
                    Home
                    ProD
                    EducationD
                    Enterprise
                    
+### Windows 10
 
+| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| Home  | | ✔  | ✔  | ✔  | |
+| Pro   | D | | ✔   | ✔  | ✔  |
+| Education  | | | | | D  |
+| Enterprise  | | | | ✔ | |
+
+### Windows 8.1
+
+|  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| (Core)  | ✔  | ✔  | ✔  | ✔  | |
+| Connected   | ✔  | ✔  | ✔  | ✔  | |
+| Pro  | D   | ✔  | ✔   | ✔  | ✔  |
+| Pro Student  | D | ✔  | ✔  | ✔  | ✔  |
+| Pro WMC  | D  | ✔  | ✔  | ✔  | ✔  |
+| Enterprise  | | | | ✔  | ✔  |
+| Embedded Industry | | | | | ✔  |
+
+### Windows 7
+
+|  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| Starter   | ✔  | ✔  | ✔  | ✔  | |
+| Home Basic  | ✔  | ✔  | ✔  | ✔  | |
+| Home Premium  | ✔  | ✔  | ✔  | ✔  | |
+| Professional  | D  | ✔  | ✔ | ✔  | ✔  |
+| Ultimate  | D  | ✔   | ✔   | ✔  | ✔  |
+| Enterprise  |  |  |  | ✔  | ✔  |
 
 ## Related Topics
 
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 0e160f2943..3595e295f0 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -34,43 +34,12 @@ When you select a product, for example “Windows 10 Enterprise” or “Windows
 > [!NOTE]
 > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
 
-In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change.
-
-### Windows 10, version 1709
-
-Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available.
-
-For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
-
-![Images.](images/table01.png)
-
-When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
-
-For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package:
-
-
                    
-
-| Title | Classification | Description |
-| --- | --- | --- |
-| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 |
-| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 |
-
-
                    
-
-When you approve one of these packages, it applies to all of the editions.
-
-This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](./update/index.md).
-
+Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. 
 
 ### Language packs
 
-- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads. 
 - **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
 
-See the following example for Windows 10, version 1709:
-
-![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png)
-
 ### Features on demand
 
 [Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4d6d62258a..3f0e709435 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -23,7 +23,7 @@ Applies to:
 - Windows 10
 - Windows 11
 
-Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
+Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
 
 With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
 
@@ -44,9 +44,10 @@ For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11
 
 ## Subscription Activation for Windows 10/11 Enterprise
 
-With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
+Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
 
  If you are running Windows 10, version 1703 or later:
+
 - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively.
 - Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions.
 
@@ -109,8 +110,6 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl
 
 To resolve this issue:
 
-If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
-
 If the device is running Windows 10, version 1809 or later:
 
 - Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
@@ -166,7 +165,7 @@ The IT administrator assigns Windows 10 Enterprise to a user. See the following
 
 When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
 
-Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
 
 The following figures summarize how the Subscription Activation model works:
 
@@ -190,19 +189,7 @@ You are using Windows 10, version 1803 or above, and just purchased Windows 10 E
 
 All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
 
-#### Scenario #2 
-
-You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
-
-To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-
-```console
-cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
-```
-
-The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-
-#### Scenario #3
+#### Scenario #2
 
 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
 
@@ -229,26 +216,6 @@ If you are running Windows 10, version 1803 or later, Subscription Activation wi
 > [!CAUTION]
 > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
 
-If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
-
-If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-
-```console
-@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-```
-
 ### Obtaining an Azure AD license
 
 Enterprise Agreement/Software Assurance (EA/SA):
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index b47dd4d0f2..ac69de04a3 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -47,7 +47,7 @@ These are the things you'll need to complete this lab:
 
 |    | Description |
 |:---|:---|
-|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
+|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
 |**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.|
 |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
 |**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index d251c2b75a..2640bff4c6 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -34,7 +34,7 @@ To learn more about the status of the November 2021 Update rollout, known issues
 
 ## Updates and servicing
 
-Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the semi-annual channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the Semi-Annual Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
 
 Quality updates are still installed monthly on patch Tuesday.
 
@@ -59,11 +59,14 @@ For more information on the CSPs, see the [Configuration service provider refere
 
 ## Apps appear local with Azure Virtual Desktop
 
-Azure virtual desktop is a Windows client OS hosted in the cloud, and it has virtual apps. The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+You can create Azure virtual desktops that run Windows 10 version 21H2.
 
 For more information, see:
 
 - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new)
 - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
 
 ## Wi-Fi 6E support
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md
index 4eafe42218..af406cd7e7 100644
--- a/windows/whats-new/windows-11-whats-new.md
+++ b/windows/whats-new/windows-11-whats-new.md
@@ -149,7 +149,7 @@ For more information on the security features you can configure, manage, and enf
 
 - Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
 
-  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
 
   In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
 

From cd70c8fe952093bfe313603b6629f9a824c50138 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Thu, 11 Nov 2021 18:58:00 -0500
Subject: [PATCH 27/46] review updates and suggestions

---
 .../windows-10-deployment-considerations.md   |  2 +-
 windows/deployment/update/WIP4Biz-intro.md    |  2 +-
 .../update/waas-manage-updates-wsus.md        | 40 +++++++++----------
 windows/deployment/update/waas-quick-start.md |  4 +-
 .../upgrade/windows-10-upgrade-paths.md       | 34 ++++++++--------
 5 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 86d46e0b81..4d8bf0ff3e 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -72,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers using the [General Availability Channel](../update/get-started-updates-channels-tools.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
 -   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 66aea9952b..c5e07f7751 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -22,7 +22,7 @@ ms.topic: article
 
 > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in theGeneral Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
 
 The Windows Insider Program for Business gives you the opportunity to:
  
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index ff3a2e85bf..bb91408f6f 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -60,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
 
-   ![Example of UI.](images/waas-wsus-fig3.png) 
+   ![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png) 
     
    >[!NOTE]
    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
@@ -73,13 +73,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
 
-   ![Example of UI.](images/waas-wsus-fig4.png)
+   ![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
     
 8. In the **Configure Automatic Updates** dialog box, select **Enable**.
 
 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
 
-   ![Example of UI.](images/waas-wsus-fig5.png)
+   ![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
    
    >[!IMPORTANT]
    > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
@@ -91,12 +91,12 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
 
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**.
 
     >[!NOTE]
     >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
     
-     ![Example of UI.](images/waas-wsus-fig6.png)
+     ![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png)
      
      >[!NOTE]
      >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@@ -116,7 +116,7 @@ You can use computer groups to target a subset of devices that have specific qua
 
 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
 
-    ![Example of UI.](images/waas-wsus-fig7.png)
+    ![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
     
 3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
 
@@ -144,7 +144,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
 
 2. Select both computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig8.png)
+    ![Select Change Membership in the UI.](images/waas-wsus-fig8.png)
 
 3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
 
@@ -162,7 +162,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
 
 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig9.png)
+    ![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
     
 4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
 
@@ -179,7 +179,7 @@ The WSUS Administration Console provides a friendly interface from which you can
 
 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
 
-     ![Example of UI.](images/waas-wsus-fig10.png)
+     ![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
      
 2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
 
@@ -203,7 +203,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
 
-    ![Example of UI.](images/waas-wsus-fig11.png)
+    ![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
     
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
@@ -213,7 +213,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
 
-    ![Example of UI.](images/waas-wsus-fig12.png)
+    ![Enter the WSUS deployment ring name.](images/waas-wsus-fig12.png)
 
 > [!WARNING]
 > The target group name must match the computer group name.
@@ -230,7 +230,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for
 
 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
 
-    ![Example of UI.](images/waas-wsus-fig13.png)
+    ![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
     
 The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
 
@@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
 For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
 
 >[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](get-started-updates-channels-tools.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
 
 
 **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
@@ -251,7 +251,7 @@ This example uses Windows 10, but the process is the same for Windows 11.
 
 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
 
-     ![Example of UI.](images/waas-wsus-fig14.png)
+     ![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
      
 4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
 
@@ -265,7 +265,7 @@ This example uses Windows 10, but the process is the same for Windows 11.
 
 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
 
-    ![Example of UI.](images/waas-wsus-fig15.png)
+    ![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
     
 9. In the **Automatic Approvals** dialog box, click **OK**.
 
@@ -300,7 +300,7 @@ To simplify the manual approval process, start by creating a software update vie
     
 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
 
-     ![Example of UI.](images/waas-wsus-fig16.png)
+     ![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
 
 Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
 
@@ -308,21 +308,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 2. Right-click the feature update you want to deploy, and then click **Approve**.
 
-      ![Example of UI.](images/waas-wsus-fig17.png)  
+      ![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)  
       
 3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
 
-      ![Example of UI.](images/waas-wsus-fig18.png) 
+      ![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png) 
       
 4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
 
-      ![Example of UI.](images/waas-wsus-fig19.png) 
+      ![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png) 
       
 5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
 
     If the deployment is successful, you should receive a successful progress report.
     
-    ![Example of UI.](images/waas-wsus-fig20.png) 
+    ![A sample successful deployment.](images/waas-wsus-fig20.png) 
 
 6. In the **Approval Progress** dialog box, click **Close**.
 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 9f6df39c19..59bb0e9b9a 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -30,7 +30,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou
 - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
 - **Servicing channels** allow organizations to choose when to deploy new features. 
-  - The **General Availability Channel** receives feature updates as they become available. 
+  - The **General Availability Channel** receives feature updates annually.
   - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. 
 
@@ -52,6 +52,6 @@ To stay up to date, deploy feature updates at an appropriate time after their re
 
 Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
 
-This process repeats with each new feature update as they become available. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
+This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
 
 Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 6e3a9935de..e1cd089600 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -41,33 +41,33 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 
 | | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| Home  | | ✔  | ✔  | ✔  | |
-| Pro   | D | | ✔   | ✔  | ✔  |
-| Education  | | | | | D  |
-| Enterprise  | | | | ✔ | |
+| **Home**  | | ✔  | ✔  | ✔  | |
+| **Pro**   | D | | ✔   | ✔  | ✔  |
+| **Education**  | | | | | D  |
+| **Enterprise**  | | | | ✔ | |
 
 ### Windows 8.1
 
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| (Core)  | ✔  | ✔  | ✔  | ✔  | |
-| Connected   | ✔  | ✔  | ✔  | ✔  | |
-| Pro  | D   | ✔  | ✔   | ✔  | ✔  |
-| Pro Student  | D | ✔  | ✔  | ✔  | ✔  |
-| Pro WMC  | D  | ✔  | ✔  | ✔  | ✔  |
-| Enterprise  | | | | ✔  | ✔  |
-| Embedded Industry | | | | | ✔  |
+| **(Core)**  | ✔  | ✔  | ✔  | ✔  | |
+| **Connected**   | ✔  | ✔  | ✔  | ✔  | |
+| **Pro**  | D   | ✔  | ✔   | ✔  | ✔  |
+| **Pro Student**  | D | ✔  | ✔  | ✔  | ✔  |
+| **Pro WMC**  | D  | ✔  | ✔  | ✔  | ✔  |
+| **Enterprise**  | | | | ✔  | ✔  |
+| **Embedded Industry** | | | | | ✔  |
 
 ### Windows 7
 
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| Starter   | ✔  | ✔  | ✔  | ✔  | |
-| Home Basic  | ✔  | ✔  | ✔  | ✔  | |
-| Home Premium  | ✔  | ✔  | ✔  | ✔  | |
-| Professional  | D  | ✔  | ✔ | ✔  | ✔  |
-| Ultimate  | D  | ✔   | ✔   | ✔  | ✔  |
-| Enterprise  |  |  |  | ✔  | ✔  |
+| **Starter**   | ✔  | ✔  | ✔  | ✔  | |
+| **Home Basic**  | ✔  | ✔  | ✔  | ✔  | |
+| **Home Premium**  | ✔  | ✔  | ✔  | ✔  | |
+| **Professional**  | D  | ✔  | ✔ | ✔  | ✔  |
+| **Ultimate**  | D  | ✔   | ✔   | ✔  | ✔  |
+| **Enterprise**  |  |  |  | ✔  | ✔  |
 
 ## Related Topics
 

From 8918004a2d6823e2e3674fa0d18138ebe9f6ffeb Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Fri, 12 Nov 2021 09:44:35 +0530
Subject: [PATCH 28/46] Minor fix

---
 .../enterprise-mode-schema-version-1-guidance.md              | 4 ++--
 .../enterprise-mode-schema-version-2-guidance.md              | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 606544f58d..8ee8fbf055 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -71,7 +71,7 @@ This table includes the elements used by the Enterprise Mode schema.
 |<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
                     **Example** 
                    <rules version="205"> 
                     <emie> 
                       <domain>contoso.com</domain> 
                     </emie>
                    </rules>  
                     
                     **or** 
                     For IPv6 ranges: 

                    <rules version="205"> 
                     <emie> 
                      <domain>[10.122.34.99]:8080</domain> 
                     </emie>
                    </rules> 
                     
                     **or**
                     For IPv4 ranges:
                    <rules version="205"> 
                     <emie> 
                      <domain>[10.122.34.99]:8080</domain> 
                     </emie>
                    </rules> | Internet Explorer 11 and Microsoft Edge       |
 |<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
                     **Example** 
                     
                    <rules version="205"> 
                     <docmode> 
                       <domain docMode="7">contoso.com</domain> 
                     </docmode>
                    </rules>     |Internet Explorer 11         |
 |<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
                     **Example** 
                     
                    <emie> 
                     <domain>contoso.com:8080</domain>
                    </emie>       |Internet Explorer 11 and Microsoft Edge         |
-|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
                     **Example**  
                     
                    <emie> 
                     <domain exclude="false">fabrikam.com 
                       <path exclude="true">/products</path>
                     </domain>
                    </emie>
                     
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
                     **Example**  
                     
                    <emie> 
                     <domain exclude="true">fabrikam.com 
                       <path exclude="false">/products</path>
                     </domain>
                    </emie>
                     
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
@@ -82,7 +82,7 @@ This table includes the attributes used by the Enterprise Mode schema.
 |exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
 |docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
                     **Example**
                    <docMode> 
                      <domain exclude="false">fabrikam.com 
                        <path docMode="9">/products</path>
                      </domain>
                    </docMode>|Internet Explorer 11|
 |doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
-|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain exclude="true">fabrikam.com 
                       <path forcecompatview="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a90c4220a3..825646b237 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -121,7 +121,7 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 |forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
 |docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
 |doNotTransition|<open-in>|Replace:
                     <doNotTransition="true"> with <open-in>none</open-in>|
-|<domain> and <path>|<site>|Replace:
                    <emie>
                     <domain exclude="false">contoso.com</domain>
                    </emie>
                    With:
                    <site url="contoso.com"/> 
                      <compat-mode>IE8Enterprise</compat-mode>
                    </site>
                    **-AND-** 
                    Replace:
                    <emie> 
                      <domain exclude="true">contoso.com 
                     <path exclude="false" forceCompatView="true">/about</path>
                     </domain>
                    </emie>

                     With:
                    <site url="contoso.com/about">
                     <compat-mode>IE7Enterprise</compat-mode>
                     <open-in>IE11</open-in>
                    </site>|
+|<domain> and <path>|<site>|Replace:
                    <emie>
                     <domain>contoso.com</domain>
                    </emie>
                    With:
                    <site url="contoso.com"/> 
                      <compat-mode>IE8Enterprise</compat-mode>
                      <open-in>IE11</open-in>
                    </site>
                    **-AND-** 
                    Replace:
                    <emie> 
                      <domain exclude="true"  donotTransition="true">contoso.com 
                     <path forceCompatView="true">/about</path>
                     </domain>
                    </emie>

                     With:
                    <site url="contoso.com/about">
                     <compat-mode>IE7Enterprise</compat-mode>
                     <open-in>IE11</open-in>
                    </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 

From bb8d6e76a73a584955acffae83be0648c8ac2286 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 14:11:57 -0800
Subject: [PATCH 29/46] draft

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 2755a7bb7a..750e5dc02d 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -149,10 +149,6 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to
 
 Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
-#### Transport Layer Security (TLS)
-
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
-
 ## Deployment
 
 ### Windows Autopilot

From b7296b9471f3d86b80c71116fddb81a60e76841b Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 15:17:01 -0800
Subject: [PATCH 30/46] draft

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 750e5dc02d..854aa465a5 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -52,7 +52,6 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga
 
 ### Windows Hello
 
-- Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes.
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
@@ -115,6 +114,8 @@ Application Guard performance is improved with optimized document opening times:
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
+#### Windows Defender Application Control
+
 - [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    

From d364303afb15cd30b6c0e12620edd3d8002d534c Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 17:15:38 -0800
Subject: [PATCH 31/46] update system guard

---
 .../ltsc/whats-new-windows-10-2021.md         | 42 ++++---------------
 1 file changed, 8 insertions(+), 34 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 854aa465a5..7d95ecfaed 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 Enterprise LTSC 2021
 ms.reviewer: 
 manager: dougeby
 ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
 keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -124,17 +124,13 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 #### Windows Defender System Guard
 
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-![System Guard.](../images/system-guard.png "SMM Firmware Measurement")
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
-
-With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
-
- ![System Guard.](../images/system-guard2.png)
+There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
 
 ### Security management
 
@@ -150,30 +146,6 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to
 
 Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](/mem/autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019, LTSC 2021, and later versions. Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-The following new Windows Autopilot features are available in Windows 10, version 1903 and later:
-
-- [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
-- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot) is available. Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
-- You can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support.
-- If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
-
 ## Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
@@ -184,6 +156,8 @@ Intune has also added capabilities to [Role-based access control](/mem/intune/fu
 
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
+## Deployment
+
 ### SetupDiag
 
 [SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
@@ -192,7 +166,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-#### Microsoft Endpoint Manager
+### Microsoft Endpoint Manager
 
 Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 

From b418f947aa914332f4f252ca2056c45b29cc7305 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 17:33:01 -0800
Subject: [PATCH 32/46] remove Autopilot from LTSC 2019 since it is not in the
 test matrix

---
 .../ltsc/whats-new-windows-10-2019.md         | 36 +------------------
 1 file changed, 1 insertion(+), 35 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 256dad7a3a..deb9fbb6e5 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
 
 ## Microsoft Intune
 
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
 
 ## Security
 
@@ -188,26 +188,6 @@ This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocke
 
 This feature will soon be enabled on Olympia Corp as an optional feature.
 
-#### Delivering BitLocker policy to AutoPilot devices during OOBE 
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
-
-2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
-
-   > [!IMPORTANT]
-   > The encryption policy must be assigned to **devices** in the group, not users.
-
-3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
-
-   > [!IMPORTANT]
-   > If the ESP is not enabled, the policy will not apply before encryption starts.
-
 ### Identity protection
 
 Improvements have been added are to Windows Hello for Business and Credential Guard.
@@ -292,20 +272,6 @@ We’ve continued to work on the **Current threats** area in  [Virus & threat pr
 
 ## Deployment
 
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-#### Autopilot Reset	
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
-
 ### MBR2GPT.EXE
 
 MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).

From 7482dfc0e128b83a422c972b3c732187a2d75bfe Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Sat, 13 Nov 2021 08:53:23 -0800
Subject: [PATCH 33/46] reword lifecycle statement

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 7d95ecfaed..e970e0e279 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -31,7 +31,7 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
 ## Lifecycle
 
 > [!IMPORTANT]
-> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle.
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
 
 For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 

From cf92087da30e30811da2899367d7bb2782d65120 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Mon, 15 Nov 2021 09:43:53 -0500
Subject: [PATCH 34/46] Fixed issues

---
 .../upgrade/windows-10-upgrade-paths.md       | 52 +++++++++++++------
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index e1cd089600..600631905f 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -26,19 +26,23 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
 
-> **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
-> 
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
-> 
-> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
-> 
-> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+- **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+
+- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
+
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+
+- **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+
+## Windows 10
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
 
-✔ = Full upgrade is supported including personal data, settings, and applications.
                    
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
 
-### Windows 10
-
+---
 | | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **Home**  | | ✔  | ✔  | ✔  | |
@@ -46,8 +50,15 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Education**  | | | | | D  |
 | **Enterprise**  | | | | ✔ | |
 
-### Windows 8.1
+---
 
+## Windows 8.1
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+---
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **(Core)**  | ✔  | ✔  | ✔  | ✔  | |
@@ -58,8 +69,15 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Enterprise**  | | | | ✔  | ✔  |
 | **Embedded Industry** | | | | | ✔  |
 
-### Windows 7
+---
 
+## Windows 7
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+---
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **Starter**   | ✔  | ✔  | ✔  | ✔  | |
@@ -69,8 +87,12 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Ultimate**  | D  | ✔   | ✔   | ✔  | ✔  |
 | **Enterprise**  |  |  |  | ✔  | ✔  |
 
+---
+
 ## Related Topics
 
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
                    
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
                    
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
\ No newline at end of file
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)

From 2f5cbef11963d053562b91b481f5dc3c2c669891 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 13:48:04 -0800
Subject: [PATCH 35/46] major revision

---
 .../ltsc/whats-new-windows-10-2021.md         | 215 ++++++++++--------
 1 file changed, 121 insertions(+), 94 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index e970e0e279..7fd18584e1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -35,22 +35,103 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
 
 For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 
-## Microsoft Edge
+## Hardware security
 
-Microsoft Edge Browser support is now included in-box.
+### System Guard
 
-### Microsoft Edge kiosk mode
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
-- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
-- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
-- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
-## Security
+There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
 
-### Windows Hello
+## Operating system security
+
+### System security
+
+[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
+
+### Encryption and data protection
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+### Network security
+
+#### Windows Defender Firewall
+
+Windows Defender Firewall now offers the following benefits: 
+
+**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. 
+
+**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. 
+
+**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). 
+
+The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. 
+
+Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools.
+
+Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97).
+
+### Virus and threat protection
+
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+    - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+
+- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
+- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+
+## Application security
+
+### App isolation
+
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+
+#### Microsoft Defender Application Guard
+
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+    To try this extension: 
+    1. Configure Application Guard policies on your device.
+    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
+    3. Follow any additional configuration steps on the extension setup page.
+    4. Reboot the device.
+    5. Navigate to an untrusted site in Chrome and Firefox.
+
+  Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+Application Guard performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
+- The performance of Robocopy is improved when copying files over 400 MB in size.
+
+[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+
+### Application Control
+
+[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+
+## Identity and privacy
+
+### Secured identity
 
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
@@ -63,90 +144,27 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga
 - Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 
-### Windows Information Protection
+### Credential protection
 
 #### Windows Defender Credential Guard
 
 [Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
-#### Microsoft Defender for Endpoint
+### Privacy controls
 
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
-    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
-    - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-
-- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
-- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
-
-Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
-
-### Threat Protection
-
-- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
 - [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-#### Microsoft Defender Application Guard
+## Cloud Services
 
-- [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
-  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+### Microsoft Endpoint Manager
 
-    To try this extension: 
-    1. Configure Application Guard policies on your device.
-    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
-    3. Follow any additional configuration steps on the extension setup page.
-    4. Reboot the device.
-    5. Navigate to an untrusted site in Chrome and Firefox.
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
-  - Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+### Configuration Manager
 
-Application Guard performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
-- The performance of Robocopy is improved when copying files over 400 MB in size.
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
-[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
-
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
-
-#### Windows Defender Application Control
-
-- [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
-    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
-    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
-    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
-
-#### Windows Defender System Guard
-
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
-
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
-
-With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
-
-There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
-
-### Security management
-
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. 
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
-- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
-
-#### Microsoft BitLocker
-
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
-
-#### Key-rolling and Key-rotation
-
-Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
-
-## Microsoft Intune
+#### Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
@@ -156,6 +174,19 @@ Intune has also added capabilities to [Role-based access control](/mem/intune/fu
 
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
+### Mobile Device Management
+
+Mobile Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+
+Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
+- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
+
+#### Key-rolling and Key-rotation
+
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
 ## Deployment
 
 ### SetupDiag
@@ -166,14 +197,6 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-### Microsoft Endpoint Manager
-
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
-        .
 ### Windows Assessment and Deployment Toolkit (ADK)
 
 A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
@@ -194,14 +217,18 @@ Improvements in Windows Setup with this release also include:
 
 For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-## Device management
+## Microsoft Edge
 
-Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+Microsoft Edge Browser support is now included in-box.
 
-For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+### Microsoft Edge kiosk mode
 
-Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
-- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+
+Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
 ## Windows Subsystem for Linux
 

From 8cb882d1d13df8768718a49627ee634462aefa16 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 13:59:45 -0800
Subject: [PATCH 36/46] formatting

---
 .../ltsc/whats-new-windows-10-2021.md         | 44 +++++++++++--------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 7fd18584e1..816d0993de 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -77,19 +77,24 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 ### Virus and threat protection
 
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
-    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
-    - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+  - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+  - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
 
-- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
-- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
 
-Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+
+**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+
+**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+
+**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+> [!NOTE]
+> The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
 
 ## Application security
 
@@ -99,8 +104,8 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
 
 #### Microsoft Defender Application Guard
 
-[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
-  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
   - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
@@ -110,7 +115,7 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
     4. Reboot the device.
     5. Navigate to an untrusted site in Chrome and Firefox.
 
-  Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
 Application Guard performance is improved with optimized document opening times:
 - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
@@ -119,20 +124,21 @@ Application Guard performance is improved with optimized document opening times:
 
 [Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
 ### Application Control
 
 [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
-    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+  - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
-    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+  - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
 ## Identity and privacy
 
 ### Secured identity
 
+Windows Hello enhancements include:
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
@@ -152,7 +158,7 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 ### Privacy controls
 
-- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
 ## Cloud Services
 

From 659e2f23689e35db2592cbb685d4a1cbc5d4d4fd Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:06:55 -0800
Subject: [PATCH 37/46] grammar

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 816d0993de..c9b5348cd7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -18,7 +18,7 @@ ms.topic: article
 **Applies to**
 -   Windows 10 Enterprise LTSC 2021
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 > [!NOTE]
 > Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
@@ -41,7 +41,7 @@ For more information about the lifecycle for this release, see [The next Windows
 
 [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
@@ -55,7 +55,7 @@ There are already devices in the market today that offer SMM Firmware Protection
 
 ### Encryption and data protection
 
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
 
 ### Network security
 
@@ -119,7 +119,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 Application Guard performance is improved with optimized document opening times:
 - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
+- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
 - The performance of Robocopy is improved when copying files over 400 MB in size.
 
 [Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
@@ -129,7 +129,7 @@ Application Guard performance is improved with optimized document opening times:
 ### Application Control
 
 [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
   - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
   - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
@@ -191,7 +191,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
 
 #### Key-rolling and Key-rotation
 
-This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
 ## Deployment
 

From b614cfa7fc3124ccfa519f48757854b187f05ba8 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:52:29 -0800
Subject: [PATCH 38/46] apologies, a minor correction

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index c9b5348cd7..dd77d477f7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -24,7 +24,7 @@ This article lists new and updated features and content that is of interest to I
 > Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
 > The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 

From a1d1143670eaff5d48a72e2dc30179d009ba56dc Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:53:50 -0800
Subject: [PATCH 39/46] second minor correction

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index dd77d477f7..03d6ae1367 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -26,7 +26,7 @@ This article lists new and updated features and content that is of interest to I
 
 Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
-The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. 
 
 ## Lifecycle
 

From 84dbc8fb9eda95ba46fa31269ffca9f757769847 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 15:06:32 -0800
Subject: [PATCH 40/46] removing consumer feature

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 03d6ae1367..60fa7af555 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -147,7 +147,6 @@ Windows Hello enhancements include:
 - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
 - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
 - [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 
 ### Credential protection

From 6d53fc73049fed5890a928f2b3f44127604aa483 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:34:56 -0800
Subject: [PATCH 41/46] Acrolinx: "navigations"

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md    | 2 +-
 windows/whats-new/whats-new-windows-10-version-1903.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 60fa7af555..6364bc3fd1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -106,7 +106,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
     1. Configure Application Guard policies on your device.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index d8febd294c..e3e4fd0740 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -94,7 +94,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
 
 - [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
     1. Configure WDAG policies on your device.

From 411b642e1e965416ef2681c673d21a9b0af7b3b0 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:39:28 -0800
Subject: [PATCH 42/46] Add lightbox for readability

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index deb9fbb6e5..8bdcb44218 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
 
 The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
 
-![Microsoft Defender for Endpoint.](../images/wdatp.png)
+[ ![Microsoft Defender for Endpoint.](../images/wdatp.png) ](../images/wdatp.png#lightbox)
 
 ##### Attack surface reduction 
 

From 5b1ed1d178087b0e35b0bbb6ee5b7a8c32b52703 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:41:38 -0800
Subject: [PATCH 43/46] Consolidate alt text

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 8bdcb44218..aadeb278f7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -268,7 +268,7 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
 
 ## Deployment
 

From d1926ea12acb7b892a45aaed961a8320f85ca4cb Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:42:52 -0800
Subject: [PATCH 44/46] Add automatic border

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index aadeb278f7..4568258c47 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -268,7 +268,8 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
+> [!div class="mx-imgBorder"]
+> ![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
 
 ## Deployment
 

From 4d06c3098078b304175bb2de8ca436410d5be5c5 Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 16 Nov 2021 09:43:01 -0800
Subject: [PATCH 45/46] Update
 appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md

indent table in step
---
 ...tion-groups-on-a-stand-alone-computer-with-powershell.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 1582199d12..8c9cc3e533 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -84,9 +84,9 @@ This topic explains the following procedures:
 
 2.  Run the following cmdlet and parameter:
 
-|Cmdlet|Parameter and values|Example|
-|--- |--- |--- |
-|Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
+    |Cmdlet|Parameter and values|Example|
+    |--- |--- |--- |
+    |Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 

From 537e775accddcb6db3f35a9d986dc4d0c558b6fc Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 16 Nov 2021 09:49:35 -0800
Subject: [PATCH 46/46] Update
 appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md

indent other table
---
 ...on-groups-on-a-stand-alone-computer-with-powershell.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 8c9cc3e533..ab5b11444d 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -69,10 +69,10 @@ This topic explains the following procedures:
 
 2.  Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
 
-|Cmdlet|Examples|
-|--- |--- |
-|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
-|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+    |Cmdlet|Examples|
+    |--- |--- |
+    |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+    |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
 
 ## To allow only administrators to enable connection groups