merging

.openpublishing.redirection.json

@@ -20534,6 +20534,11 @@
       "source_path": "education/windows/school-get-minecraft.md",
       "redirect_url": "/education/windows/get-minecraft-for-education",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
+      "redirect_document_id": true
     }
   ]
 }

browsers/edge/microsoft-edge-faq.yml

@@ -2,6 +2,7 @@
 metadata:
   title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros
   ms.reviewer: 
+  ms.date: 12/14/2020
   audience: itpro
   manager: dansimp
   description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.

browsers/enterprise-mode/enterprise-mode.md

@@ -11,7 +11,7 @@ ms.reviewer:
 manager: dansimp
 title: Enterprise Mode for Microsoft Edge
 ms.sitesec: library
-ms.date: ''
+ms.date: 07/17/2018
 ---
 
 # Enterprise Mode for Microsoft Edge
@@ -55,5 +55,3 @@ You can build and manage your Enterprise Mode Site List is by using any generic
 
 
 ### Add multiple sites to the site list
-
-

browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md

@@ -1,3 +1,6 @@
+---
+ms.date: 07/17/2018
+---
 Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
 centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
 

browsers/enterprise-mode/what-is-enterprise-mode-include.md

@@ -1,4 +1,7 @@
+---
+ms.date: 07/17/2018
+---
 ## What is Enterprise Mode?
 Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
 
-Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
+Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.

browsers/internet-explorer/ie11-deploy-guide/index.md

@@ -9,6 +9,7 @@ title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Expl
 ms.sitesec: library
 ms.localizationpriority: medium
 manager: dansimp
+ms.date: 02/24/2016
 ---
 
 
@@ -62,4 +63,4 @@ IE11 offers differing experiences in Windows 8.1:
 ## Related topics
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)

browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md

@@ -6,6 +6,7 @@ author: dansimp
 ms.prod: ie11
 ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
 ms.reviewer: 
+ms.date: 03/15/2016
 audience: itpro
 manager: dansimp
 ms.author: dansimp
@@ -60,8 +61,3 @@ You can also click **Select All** to add, or **Clear All** to remove, all of the
  
 
  
-
-
-
-
-

browsers/internet-explorer/ie11-ieak/index.md

@@ -9,6 +9,7 @@ title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
 ms.sitesec: library
 ms.localizationpriority: medium
 manager: dansimp
+ms.date: 03/15/2016
 ---
 
 
@@ -49,4 +50,4 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
 - [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)

education/includes/education-content-updates.md

@@ -1,3 +1,6 @@
+---
+ms.date: 10/24/2020
+---
 <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
 
 

store-for-business/includes/store-for-business-content-updates.md

@@ -1,3 +1,6 @@
+---
+ms.date: 10/31/2020
+---
 <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
 
 

windows/client-management/administrative-tools-in-windows-10.md

@@ -8,7 +8,9 @@ manager: aaroncz
 ms.localizationpriority: medium
 ms.date: 03/28/2022
 ms.topic: article
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ms.technology: itpro-manage
 ---
 

windows/client-management/azure-active-directory-integration-with-mdm.md

@@ -1,14 +1,16 @@
 ---
 title: Azure Active Directory integration with MDM
 description: Azure Active Directory is the world's largest enterprise cloud identity management service.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ms.date: 12/31/2017
 ---
 
@@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in
 > [!IMPORTANT]
 > Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license.
 
- 
+
 ### BYOD scenario
 
 Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted.
@@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en
 > [!NOTE]
 > Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
- 
+
 ### MDM endpoints involved in Azure AD–integrated enrollment
 
 Azure AD MDM enrollment is a two-step process:
@@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery.
 ### Add cloud-based MDM to the app gallery
 
 > [!NOTE]
-> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application 
+> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
 
 The following table shows the required information to create an entry in the Azure AD app gallery.
 
@@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu
 |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
 
 
- 
+
 ### Add on-premises MDM to the app gallery
 
 There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
@@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
 |--- |--- |--- |--- |--- |
 |FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css|
 |MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css|
- 
+
 ## Terms of Use protocol semantics
 
 The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
@@ -332,7 +334,7 @@ The following table shows the error codes.
 |Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
 |internal service error|302|server_error|internal service error|
 
- 
+
 ## Enrollment protocol with Azure AD
 
 With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.

windows/client-management/connect-to-remote-aadj-pc.md

@@ -6,10 +6,12 @@ author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.author: vinpa
 ms.date: 01/18/2022
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.topic: article
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ms.technology: itpro-manage
 ---
 
@@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
 ## Set up
 
 - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
-- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. 
+- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
-- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. 
+- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
 
 Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
 
 - On the PC you want to connect to:
 
   1. Open system properties for the remote PC.
-  
+
   2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
 
      ![Allow remote connections to this computer.](images/allow-rdp.png)
 
   3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
-     
+
       - Adding users manually
-   
+
         You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
         ```powershell
         net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
@@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
          > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
 
       - Adding users using policy
-     
+
          Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
 
          > [!TIP]

windows/client-management/device-update-management.md

@@ -1,7 +1,7 @@
 ---
 title: Mobile device management MDM for device updates
 description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@@ -9,7 +9,9 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/15/2017
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Mobile device management (MDM) for device updates

windows/client-management/diagnose-mdm-failures-in-windows-10.md

@@ -1,7 +1,7 @@
 ---
 title: Diagnose MDM failures in Windows 10
 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@@ -9,7 +9,9 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/25/2018
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Diagnose MDM failures in Windows 10

windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -7,9 +7,11 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 04/30/2022
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Enroll a Windows 10 device automatically using Group Policy
@@ -188,19 +190,19 @@ Requirements:
    - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
 
    - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
-   
+
    - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
-   
+
    - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
 
    - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
 
    - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
-   
+
    - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
 
    - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
-   
+
 2. Install the package on the Domain Controller.
 
 3. Navigate, depending on the version to the folder:
@@ -214,13 +216,13 @@ Requirements:
    - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
 
    - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
-   
+
    - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
 
    - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
 
    - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)**
-    
+
    - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)**
 
    - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)**

windows/client-management/index.yml

@@ -11,6 +11,7 @@ metadata:
   ms.technology: itpro-manage
   ms.collection:
     - highpri
+    - tier1
   author: aczechowski
   ms.author: aaroncz
   manager: dougeby

windows/client-management/mandatory-user-profile.md

@@ -5,10 +5,12 @@ ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 09/14/2021
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.topic: article
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ms.technology: itpro-manage
 ---
 
@@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want,
 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
 
    > [!NOTE]
-   > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 
+   > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
 
 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
 

windows/client-management/mdm-enrollment-of-windows-devices.md

@@ -1,17 +1,19 @@
 ---
 title: MDM enrollment of Windows 10-based devices
 description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources.
-MS-HAID: 
+MS-HAID:
   - 'p\_phdevicemgmt.enrollment\_ui'
   - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
 ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ms.date: 12/31/2017
 ---
 
@@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio
 > [!NOTE]
 > Mobile devices can't be connected to an Active Directory domain.
 
-### Out-of-box-experience 
+### Out-of-box-experience
 
 Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain:
 
@@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire
 | You're logged in as a standard user.                           | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue.                                                    |
 | Your device is running Windows 10 Home.                         | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
 
- 
+
 
 ### Connect your device to an Azure AD domain (join Azure AD)
 
@@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do
 | Your device is already managed by MDM.                          | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
 | Your device is running Windows 10 Home.                         | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue.          |
 
- 
 
-## Connect personally owned devices 
+
+## Connect personally owned devices
 
 
 Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
@@ -247,7 +249,7 @@ To create a local account and connect the device:
    ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png)
 
    After you complete the flow, your device will be connected to your organization’s MDM.
-   
+
 ### Help with connecting personally owned devices
 
 There are a few instances where your device may not be able to connect to work.
@@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work.
 | You don’t have the right privileges to perform this operation. Talk to your admin.                                                                                                  | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
 | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered.  |
 
- 
+
 ## Connect your Windows 10-based device to work using a deep link
 
 
@@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow
 | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned |
 
 > [!NOTE]
-> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. 
+> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later.
 
 ### Connect to MDM using a deep link
 
 > [!NOTE]
 > Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link:
-> 
+>
 > - **ms-device-enrollment:?mode=mdm**
 > - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`**
 
@@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a
 ![work or school info.](images/unifiedenrollment-rs1-35-b.png)
 
 > [!NOTE]
-> Starting in Windows 10, version 1709, the **Manage** button is no longer available. 
+> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
 
 ### Disconnect
 
@@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report
 
 ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)
 
- 
+
 
 
 

windows/client-management/mdm-overview.md

@@ -9,7 +9,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Mobile Device Management overview

windows/client-management/mdm/configuration-service-provider-ddf.md

@@ -9,7 +9,9 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Configuration service provider DDF files

windows/client-management/mdm/configuration-service-provider-support.md

@@ -1,7 +1,7 @@
 ---
 title: Configuration service provider support
 description: Learn more about configuration service provider (CSP) supported scenarios.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@@ -9,7 +9,9 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Configuration service provider support

windows/client-management/mdm/dynamicmanagement-csp.md

@@ -7,9 +7,11 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # DynamicManagement CSP

windows/client-management/mdm/index.yml

@@ -11,6 +11,7 @@ metadata:
   ms.prod: windows-client
   ms.collection:
     - highpri
+    - tier1
   ms.custom: intro-hub-or-landing
   author: vinaypamnani-msft
   ms.author: vinpa

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -150,7 +150,7 @@ Descriptions of the properties:
 
 **Policy timeline**:
 
-The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup dec>` and SID in `<member name>`. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example.
+The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup desc>` and SID in `<member name>`. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example.
 
 The following table describes how this policy setting behaves in different Windows 10 versions:
 

windows/client-management/mobile-device-enrollment.md

@@ -1,7 +1,7 @@
 ---
 title: Mobile device enrollment
 description: Learn how  mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@@ -9,7 +9,9 @@ ms.prod: windows-client
 ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/11/2017
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier2
 ---
 
 # Mobile device enrollment

windows/client-management/quick-assist.md

@@ -9,7 +9,9 @@ author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.reviewer: pmadrigal
-ms.collection: highpri
+ms.collection:
+  - highpri
+  - tier1
 ms.date: 08/26/2022
 ---
 

windows/deployment/do/TOC.yml

@@ -25,6 +25,8 @@
       href: delivery-optimization-workflow.md       
     - name: Using a proxy with Delivery Optimization
       href: delivery-optimization-proxy.md
+    - name: Testing Delivery Optimization
+      href: delivery-optimization-test.md
 - name: Microsoft Connected Cache
   items:
     - name: Microsoft Connected Cache overview

windows/deployment/do/delivery-optimization-workflow.md

@@ -20,14 +20,13 @@ ms.date: 12/31/2017
 
 ## Download request workflow
 
-This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification.
+This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from.
-
 
 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB).
-2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer.
+2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer.
 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file.
 4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download.
-5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed.
+5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode”. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed.
 6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it.
 
 ## Delivery Optimization service endpoint and data information
@@ -35,8 +34,8 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r
 |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint
 |--------------------------------------------|--------|---------------|-----------------------|------------------------|
 | geover-prod.do.dsp.mp.microsoft.com <br> geo-prod.do.dsp.mp.microsoft.com <br> geo.prod.do.dsp.mp.microsoft.com <br> geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) <br> **doClientVersion**: The version of the DoSvc client <br> **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
-| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
+| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping ID <br> **CacheHost**: Cache host ID |
-| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
+| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID <br> **CacheHost**: Cache host ID |
-| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionId**: Client partitioning hint <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id |
+| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionID**: Client partitioning hint <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID |
-| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **PeerId**:  Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eId**: Client grouping Id |
+| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **PeerID**:  Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eID**: Client grouping ID |
 | dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |  

windows/deployment/do/includes/get-azure-subscription.md

@@ -2,6 +2,7 @@
 author: amymzhou
 ms.author: amyzhou
 manager: dougeby
+ms.date: 10/18/2022
 ms.prod: w10
 ms.collection: M365-modern-desktop
 ms.topic: include
@@ -14,4 +15,4 @@ ms.localizationpriority: medium
 1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. 
 1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 
 1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. 
-1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. 
+1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. 

windows/deployment/do/index.yml

@@ -59,8 +59,7 @@ landingContent:
           - text: Optimize Windows 10 or later update delivery with Configuration Manager
             url: /mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization
           - text: Delivery Optimization settings in Microsoft Intune
-            url: /mem/intune/configuration/delivery-optimization-windows
+            url: /mem/intune/configuration/delivery-optimization-windows           
-            
  
   # Card
   - title: Microsoft Connected Cache (MCC) for Enterprise and Education

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -20,59 +20,57 @@ ms.date: 12/31/2017
 - Windows 10
 - Windows 11
 
-> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=103506).
+> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
-There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md).
+There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
 
 ## Delivery Optimization options
 
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
 
-You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
 
-[//]: # (something about Intune UX--perhaps link to relevant Intune docs?)
-
 ### Summary of Delivery Optimization settings
 
-| Group Policy setting | MDM setting | Supported from version |
+| Group Policy setting | MDM setting | Supported from version | Notes |
-| --- | --- | --- |
+| --- | --- | --- | ------- |
-| [Download mode](#download-mode) | DODownloadMode | 1511 |
+| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
-| [Group ID](#group-id)  | DOGroupID | 1511 |
+| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order.  |
-| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. |
-| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
+| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices  default to using 'Subnet'.  |
-| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
+| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
-| [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
+| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
-| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 |
+| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). |
-| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 |
+| [Max cache size](#max-cache-size)  | DOMaxCacheSize | 1511 | Default value is 20%. |
-| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 |
+| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.|
-| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
+| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. |
-| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)|
+| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. |
-| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) |
+| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. |
-| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 |
+| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. |
-| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 |
+| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. |
-| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 |
+| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
-| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 |
+| [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
-| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 |
+| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
-| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 |
+| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
-| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 |
+| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
-| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth)  |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 |
+| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. |
-| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 |
+| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 |
+| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
-| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 |
+| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
+| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
-| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
+| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
+| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | Default is it has no value. |
-| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  |
+| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. |
-| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
+| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
-| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)         | DOMaxForegroundDownloadBandwidth | 2004 |
+| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs)  or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
-| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
+| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). |
 
 ### More detail on Delivery Optimization settings
 
-[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
+#### Locally cached updates
 
-Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario:
+Delivery Optimization uses locally cached updates to deliver contact via peers. The more content available in the cache, the more likely that peering can be used. In cases where devices have enough local storage and you'd like to cache more content. Likewise, if you have limited storage and would prefer to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario:
 
 - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
 - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
@@ -83,20 +81,35 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
 
 All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
 
-Additional options available that control the impact Delivery Optimization has on your network include the following:
+#### Impact to network
 
-- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization.
+More options available that control the impact Delivery Optimization has on your network include the following:
-- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
+
-- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
+- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network.
-- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
+- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
-- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
 - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
 - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
 - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
 - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select.
 - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source.
-- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
+
-- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
+#### Policies to prioritize the use of Peer-to-Peer and Cache Server sources
+
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior.
+
+##### Peer-to-peer delay fallback settings
+
+- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
+- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
+
+##### Microsoft Connected Cache (MCC) delay fallback settings
+
+- [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
+- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background  download that is allowed to use a cache server.
+
+**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
+
+#### System resource usage
 
 Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
 
@@ -107,7 +120,7 @@ Administrators can further customize scenarios where Delivery Optimization will
 
 ### Download mode
 
-Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization).
+Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization).
 
 | Download mode option | Functionality when set |
 | --- | --- |
@@ -116,19 +129,17 @@ Download mode dictates which download sources clients are allowed to use when do
 | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
 | Internet (3) | Enable Internet peer sources for Delivery Optimization. |
 | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
-|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. |
+| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
 
 > [!NOTE]
-> Starting in Windows 11, the Bypass option of Download Mode is no longer used.
+> Starting in Windows 11, the Bypass option of Download Mode is deprecated.
 >
 > [!NOTE]
 > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
 
 ### Group ID
 
-By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
+By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
-
-[//]: # (Configuration Manager boundary group option; GroupID Source policy)
 
 >[!NOTE]
 >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
@@ -139,14 +150,14 @@ By default, peer sharing on clients using the Group download mode (option 2) is
 
 Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are:
 
-- 0 = not set
+- 0 = Not set
 - 1 = AD Site
 - 2 = Authenticated domain SID
 - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
 - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
@@ -165,7 +176,7 @@ In environments configured for Delivery Optimization, you might want to set an e
 
 ### Max Cache Size
 
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**.
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
 
 ### Absolute Max Cache Size
 
@@ -173,7 +184,7 @@ This setting specifies the maximum number of gigabytes the Delivery Optimization
 
 ### Minimum Peer Caching Content File Size
 
-This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering.
+This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering.
 
 ### Maximum Download Bandwidth
 
@@ -184,11 +195,11 @@ This setting specifies the maximum download bandwidth that can be used across al
 
 ### Maximum Foreground Download Bandwidth
 
-Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
 ### Maximum Background Download Bandwidth
 
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
 
 ### Percentage of Maximum Download Bandwidth
 
@@ -199,43 +210,45 @@ This setting specifies the maximum download bandwidth that Delivery Optimization
 
 ### Max Upload Bandwidth
 
-This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate.
 
 ### Set Business Hours to Limit Background Download Bandwidth
 
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.**
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Set Business Hours to Limit Foreground Download Bandwidth
 
-Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.**
+Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
 
 ### Select a method to restrict peer selection
 
-Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
+Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
 
 If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
 
 The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
 
-### Delay background download from http (in secs)
+### Delay background download from HTTP (in secs)
 
-Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295  seconds. **By default, this policy is not set.**
+Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
-### Delay foreground download from http (in secs)
+### Delay foreground download from HTTP (in secs)
 
-Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.**
+Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
 
 ### Delay Foreground Download Cache Server Fallback (in secs)
 
-Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.**
+Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
+
+By default this policy isn't set. So,
 
 ### Delay Background Download Cache Server Fallback (in secs)
 
-Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.**
+Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 ### Minimum Background QoS
 
-This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s**
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources . The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
 
 ### Modify Cache Drive
 
@@ -247,7 +260,7 @@ This setting specifies the total amount of data in gigabytes that a Delivery Opt
 
 ### Enable Peer Caching while the device connects via VPN
 
-This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 
 ### Allow uploads while the device is on battery while under set Battery level
 
@@ -259,10 +272,10 @@ The device can download from peers while on battery regardless of this policy.
 
 ### Cache Server Hostname
 
-Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.**
+Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.**
 
 >[!IMPORTANT]
-> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty.
+> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.
 
 ### Cache Server Hostname Source
 

windows/deployment/do/waas-delivery-optimization-setup.md

@@ -25,16 +25,19 @@ ms.date: 12/19/2022
 
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
 
-You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
+You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
 
 Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
 
-**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
+
+## Allow service endpoints
+
+When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information.
 
 ## Allow content endpoints
 
-When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md).
+When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md).
-
 
 ## Recommended Delivery Optimization settings
 
@@ -57,13 +60,13 @@ Quick-reference table:
 | Use case | Policy | Recommended value | Reason |
 | --- | --- | --- | --- |
 | Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology |
-| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads |
+| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Use peers-to-peer capability in more downloads |
 | Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain |
-| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period |
+| Labs with AC-powered devices | Content expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period |
 
 ### Hybrid WAN scenario
 
-For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
+For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
 
 To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
 
@@ -71,14 +74,14 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza
 
 ### Hub and spoke topology with boundary groups
 
-The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection).
+The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet.
 
-To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
+To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
 
 To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
 
 > [!NOTE]
-> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
+> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
 
 ### Large number of mobile devices
 
@@ -90,11 +93,11 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza
 
 ### Plentiful free space and large numbers of devices
 
-Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
+Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
 
-To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
+To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
 
-To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices).
 
 ### Lab scenario
 
@@ -104,18 +107,18 @@ To do this in Group Policy, go to **Computer Configuration\Administrative Templa
 
 To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
 
+[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios.
 
 <!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
 [!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)]
 
+### Monitor with Windows Update for Business Delivery Optimization Report
 
-### Monitor with Update Compliance
+Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
 
-Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
+:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png":::
 
-[[DO status](images/UC_workspace_DO_status.png)](images/UC_workspace_DO_status.png#lightbox)
+For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md).
-
-For details, see [Delivery Optimization in Update Compliance](../update/update-compliance-delivery-optimization.md).
 
 ## Troubleshooting
 
@@ -135,17 +138,17 @@ If you don't see any bytes coming from peers the cause might be one of the follo
 Try these steps:
 
 1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
-2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, DownloadMode should be 1, 2, or 3.
+2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3.
-3. If DownloadMode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
+3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
 
 ### The cloud service doesn't see other peers on the network
 
 Try these steps:
 
 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
-2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
+2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
-4. If the number of peers is zero and **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[GroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
+4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
 
 > [!NOTE]
 > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
@@ -155,7 +158,7 @@ Try these steps:
 Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps:
 
 1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt.
-2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
+2. Run the test. For example, if you are on device with IP 192.168.8.12 and you're trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You'll either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
 
 > [!NOTE]
 > You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test.

windows/deployment/do/waas-delivery-optimization.md

@@ -21,11 +21,13 @@ ms.date: 12/31/2017
 - Windows 10
 - Windows 11
 
-> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
+> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
-Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).  
+Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional.
 
-Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization.
+To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content.
+
+You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
 
 For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
 
@@ -60,7 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark:  | :heavy_check_mark: |
 | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: |  | :heavy_check_mark: |
 | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: |  |  |
-| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
+| MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
 
 #### Windows Server
 

windows/deployment/do/waas-optimize-windows-10-updates.md

@@ -14,11 +14,10 @@ ms.date: 12/31/2017
 
 # Optimize Windows update delivery
 
-
 **Applies to**
 
--   Windows 10
+- Windows 10
--   Windows 11
+- Windows 11
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
@@ -30,7 +29,7 @@ Two methods of peer-to-peer content distribution are available.
 
     Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates.
 
-- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
 
     >[!NOTE]
     >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
@@ -47,7 +46,7 @@ Two methods of peer-to-peer content distribution are available.
 > [!NOTE]
 > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
 >
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Pre-installation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
 
 ## Express update delivery
 
@@ -57,6 +56,7 @@ Windows client quality update downloads can be large because every package conta
 > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
 
 ### How Microsoft supports Express
+
 - **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
 - **Express on WSUS Standalone**
 
@@ -67,6 +67,7 @@ Windows client quality update downloads can be large because every package conta
 ### How Express download works
 
 For OS updates that support Express, there are two versions of the file payload stored on the service:
+
 1. **Full-file version** - essentially replacing the local versions of the update binaries.
 2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
 

windows/deployment/update/deployment-service-drivers.md

@@ -330,3 +330,8 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c
 
 <!--Using include for removing device enrollment-->
 [!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)]
+
+## Policy considerations for drivers
+
+<!--Using include for Policy considerations for drivers-->
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]

windows/deployment/update/deployment-service-prerequisites.md

@@ -42,7 +42,7 @@ Windows Update for Business deployment service supports Windows client devices o
 
 ### Windows operating system updates
 
-- Expediting updates requires the *Update Health Tools* on the clients. The tools are are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device:
+- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device:
   - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
   - As an Admin, run the following PowerShell script:  `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
 
@@ -91,6 +91,12 @@ When you use [Windows Update for Business reports](wufb-reports-overview.md) in
 <!--Using include for deployment service limitations-->
 [!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)]
 
+## Policy considerations for drivers
+
+<!--Using include for Policy considerations for drivers-->
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
+
+
 ## General tips for the deployment service
 
 Follow these suggestions for the best results with the service:

windows/deployment/update/deployment-service-troubleshoot.md

@@ -54,3 +54,8 @@ While expedite update deployments will override an update deferral for the updat
 
 <!--Using include for Update Health Tools log location-->
 [!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
+
+## Policy considerations for drivers
+
+<!--Using include for Policy considerations for drivers-->
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]

windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md

@@ -0,0 +1,45 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.technology: itpro-updates
+ms.prod: windows-client
+ms.topic: include
+ms.date: 02/14/2023
+ms.localizationpriority: medium
+---
+<!--This file is shared by deployment-service-drivers.md, deployment-service-troubleshoot.md, and the deployment-service-prerequisites.md articles. Headings may be driven by article context. 7512398 -->
+
+It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service: 
+
+### Policies that exclude drivers from Windows Update for a device
+
+The following policies exclude drivers from Windows Update for a device:
+
+- **Locations of policies that exclude drivers**:
+  -  **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled`
+  - **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1`
+  - **Registry**:  `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1`
+  - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` 
+
+**Behavior with the deployment service**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience though the deployment service:
+  - Will display the applicable driver content in the deployment service
+  - Won't install drivers that are approved from the deployment service
+    - If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending.
+
+### Policies that define the source for driver updates
+
+The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS):
+
+- **Locations of policies that define an update source**:
+  -  **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update`
+  - **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source
+  - **Registry**:  `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1`
+  - **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business.
+
+**Behavior with the deployment service**: Devices with these update source policies that are enrolled for **drivers** and added to an audience though the deployment service:
+  - Will display the applicable driver content in the deployment service
+  - Will install drivers that are approved from the deployment service
+
+> [!NOTE] 
+> When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. 

windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md

@@ -21,7 +21,7 @@ Use the [device](/graph/api/resources/device) resource type to find clients to e
 - Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`:
 
    ```msgraph-interactive
-  GET https://graph.microsoft.com/v1.0/devices?$filter=startswith (displayName,'Test')&$select=deviceid,displayName
+  GET https://graph.microsoft.com/v1.0/devices?$filter=startswith(displayName,'Test')&$select=deviceid,displayName
    ```
 
 
@@ -38,13 +38,13 @@ For the next requests, set the **ConsistencyLevel** header to `eventual`. For mo
 - Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**:
 
    ```msgraph-interactive
-   GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"?$select=displayName,operatingSystemVersion`
+   GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"&$select=displayName,operatingSystemVersion
    ```
 
 - To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device:
 
    ```msgraph-interactive
-   GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion`
+   GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion
    ```
 
 > [!Tip]

windows/deployment/update/includes/wufb-deployment-graph-explorer.md

@@ -15,7 +15,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G
 > [!WARNING]
 >
 > - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium).
-> - Using a test tenant to verify the deployment process first is highly recommended. If you use a production tenant, ensure you verify which client devices you're targeting with deployments.
+> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand  [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding.
 
 1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account.
 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission:

windows/deployment/update/wufb-reports-overview.md

@@ -16,7 +16,7 @@ ms.technology: itpro-updates
 
 Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
 
-- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices
+- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
 - Report on devices with update compliance issues
 - Analyze and display your data in multiple ways
 

windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md

@@ -79,8 +79,12 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
             - Office Click-to-run
 - Last Intune device check in completed within the last 28 days.
 - Devices must have Serial Number, Model and Manufacturer.
-	> [!NOTE]
+
-	> Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+> [!NOTE]
+> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
 
 For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
 

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -37,6 +37,9 @@ If a device is registered with Windows Autopatch, and the device is:
 - Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
 - On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
 
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use a [LTSC media](/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
 ## Windows feature update policy configuration
 
 If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates
 description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -33,6 +33,9 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
 | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Windows quality update releases
 
 Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.

windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md

@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -44,12 +44,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
 
-The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
+The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
 
 - Windows 10 (1809+)/11 Pro
 - Windows 10 (1809+)/11 Enterprise
 - Windows 10 (1809+)/11 Pro for Workstations
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Configuration Manager co-management requirements
 
 Windows Autopatch fully supports co-management. The following co-management requirements apply:

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 01/31/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -24,9 +24,13 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
-| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the Microsoft Windows 10/11 diagnostic data section |
+| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) |
+| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) |
+| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) |
+| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
 | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
-| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the Built-in roles required for registration section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
 
 ## January 2023
 

windows/privacy/Microsoft-DiagnosticDataViewer.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/13/2018
 ms.topic: how-to
 ---
 
@@ -179,4 +180,4 @@ When resetting the size of your data history to a lower value, be sure to turn o
 
 ## Related Links
 - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
-- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?)
+- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?)

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md

@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md

@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md

@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md

@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md

@@ -7,6 +7,7 @@ localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/27/2017
 ms.topic: reference
 ---
 

windows/privacy/changes-to-windows-diagnostic-data-collection.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/04/2020
 ms.topic: conceptual
 ---
 

windows/privacy/configure-windows-diagnostic-data-in-your-organization.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/11/2016
 ms.collection: highpri
 ms.topic: conceptual
 ---

windows/privacy/diagnostic-data-viewer-overview.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/09/2018
 ms.collection: highpri
 ms.topic: how-to
 ---
@@ -172,4 +173,4 @@ The **Review problem reports** tool opens, showing you your Windows Error Report
 
 - Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer.
 
-**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
+**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.

windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 10/12/2017
 ms.topic: reference
 ---
 

windows/privacy/essential-services-and-connected-experiences.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/28/2021
 ms.collection: highpri
 ms.topic: reference
 ---

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/15/2019
 ms.topic: conceptual
 ---
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/07/2016
 ms.collection: highpri
 ms.topic: conceptual
 ---

windows/privacy/manage-windows-11-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 

windows/privacy/manage-windows-1809-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 
@@ -495,4 +496,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

windows/privacy/manage-windows-1903-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 1903

windows/privacy/manage-windows-1909-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 1909

windows/privacy/manage-windows-2004-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 # Manage connection endpoints for Windows 10 Enterprise, version 2004

windows/privacy/manage-windows-20H2-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 

windows/privacy/manage-windows-21H1-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 

windows/privacy/manage-windows-21h2-endpoints.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 01/18/2018
 ms.topic: reference
 ---
 

windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md

@@ -8,6 +8,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 08/26/2022
 ms.topic: reference
 ---
 

windows/privacy/required-windows-11-diagnostic-events-and-fields.md

@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/28/2020
 ms.collection: highpri
 ms.topic: reference
 ---

windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md

@@ -7,6 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/28/2020
 ms.collection: highpri
 ms.topic: reference
 ---

windows/privacy/windows-10-and-privacy-compliance.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/20/2019
 ms.topic: conceptual
 ---
 
@@ -251,4 +252,4 @@ An administrator can configure privacy-related settings, such as choosing to onl
 * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) 
 * [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
 * [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
-* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
+* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

windows/privacy/windows-11-endpoints-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 11 connection endpoints for non-Enterprise editions

windows/privacy/windows-diagnostic-data-1703.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/31/2017
 ms.topic: reference
 ---
 

windows/privacy/windows-diagnostic-data.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 03/31/2017
 ms.collection: highpri
 ms.topic: reference
 ---

windows/privacy/windows-endpoints-1809-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/29/2018
 ms.topic: reference
 ---
 # Windows 10, version 1809, connection endpoints for non-Enterprise editions

windows/privacy/windows-endpoints-1903-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 06/29/2018
 ms.topic: reference
 ---
 

windows/privacy/windows-endpoints-1909-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 07/20/2020
 ms.topic: reference
 ---
 # Windows 10, version 1909, connection endpoints for non-Enterprise editions

windows/privacy/windows-endpoints-2004-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 05/11/2020
 ms.topic: reference
 ---
 # Windows 10, version 2004, connection endpoints for non-Enterprise editions
@@ -195,4 +196,3 @@ The following methodology was used to derive the network endpoints:
 |www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service
 |www.msftconnecttest.com|HTTP|Network Connection (NCSI)
 |www.office.com|HTTPS|Microsoft Office
-

windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 10, version 20H2, connection endpoints for non-Enterprise editions

windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md

@@ -7,6 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: dougeby
+ms.date: 12/17/2020
 ms.topic: reference
 ---
 # Windows 10, version 21H1, connection endpoints for non-Enterprise editions

windows/security/TOC.yml

@@ -328,8 +328,6 @@
           href: identity-protection/credential-guard/credential-guard-requirements.md
         - name: Manage Credential Guard
           href: identity-protection/credential-guard/credential-guard-manage.md
-        - name: Hardware readiness tool
-          href: identity-protection/credential-guard/dg-readiness-tool.md
         - name: Credential Guard protection limits
           href: identity-protection/credential-guard/credential-guard-protection-limits.md
         - name: Considerations when using Credential Guard

windows/security/docfx.json

@@ -77,6 +77,16 @@
         "identity-protection/hello-for-business/*.md": "erikdau",
         "identity-protection/credential-guard/*.md": "zwhittington",
         "identity-protection/access-control/*.md": "sulahiri"
+      },
+      "ms.collection":{
+        "identity-protection/hello-for-business/*.md": "tier1",
+        "information-protection/bitlocker/*.md": "tier1",
+        "information-protection/personal-data-encryption/*.md": "tier1",
+        "information-protection/pluton/*.md": "tier1",
+        "information-protection/tpm/*.md": "tier1",
+        "threat-protection/auditing/*.md": "tier3",
+        "threat-protection/windows-defender-application-control/*.md": "tier3",
+        "threat-protection/windows-firewall/*.md": "tier3"
       }
     },
     "template": [],

windows/security/encryption-data-protection.md

@@ -1,7 +1,6 @@
 ---
 title: Encryption and data protection in Windows
 description: Get an overview encryption and data protection in Windows 11 and Windows 10
-search.appverid: MET150
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: overview
 ms.date: 09/22/2022
 ms.prod: windows-client
 ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection: 
-ms.custom: 
 ms.reviewer: rafals
 ---
 

windows/security/identity-protection/access-control/local-accounts.md

@@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal
 ms.date: 12/05/2022
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -1,9 +1,10 @@
 ---
 title: Manage Windows Defender Credential Guard (Windows)
-description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
+description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
 ms.date: 11/23/2022
 ms.collection:
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -38,7 +39,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
 
 ## Enable Windows Defender Credential Guard
 
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 > [!NOTE]
@@ -151,19 +152,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen
 > [!NOTE]
 > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
 
-### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
-
-You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-
-```cmd
-DG_Readiness_Tool.ps1 -Enable -AutoReboot
-```
-
-> [!IMPORTANT]
-> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
->
-> This is a known issue.
-
 ### Review Windows Defender Credential Guard performance
 
 #### Is Windows Defender Credential Guard running?
@@ -178,17 +166,6 @@ You can view System Information to check that Windows Defender Credential Guard
 
    :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe).":::
 
-You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-
-```cmd
-DG_Readiness_Tool_v3.6.ps1 -Ready
-```
-
-> [!IMPORTANT]
-> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. 
->
-> This is a known issue.
-
 > [!NOTE]
 > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
 

windows/security/identity-protection/credential-guard/credential-guard.md

@@ -5,6 +5,7 @@ ms.date: 11/22/2022
 ms.topic: article
 ms.collection: 
   - highpri
+  - tier2
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>

windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md

@@ -267,7 +267,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
         <ipv4DnsServer>10.10.0.1</ipv4DnsServer>
         <ipv4DnsServer>10.10.0.2</ipv4DnsServer>
         <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    </signal> 
 </rule>
 ```
 
@@ -280,12 +280,12 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
 
 ```xml
 <rule schemaVersion="1.0"> 
-	<signal type="ipConfig"> 
+    <signal type="ipConfig"> 
-	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
+        <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    </signal> 
 </rule>,
 <rule schemaVersion="1.0">
-	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 12/12/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md

@@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in
 description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
 ms.collection: 
   - ContentEngagementFY23
+  - tier1
 ms.topic: article
 ms.date: 11/15/2022
 appliesto: 

windows/security/identity-protection/hello-for-business/hello-faq.yml

@@ -4,6 +4,7 @@ metadata:
   description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 01/06/2023
   appliesto: 

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -3,6 +3,7 @@ title: Pin Reset
 description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 07/29/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md

@@ -5,6 +5,8 @@ ms.date: 02/24/2021
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ms.topic: article
+ms.collection:
+  - tier1
 ---
 
 # Remote Desktop

windows/security/identity-protection/hello-for-business/hello-identity-verification.md

@@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.collection: 
 - highpri
+- tier1
 ms.date: 12/13/2022
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md

@@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows)
 description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 2/15/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/hello-overview.md

@@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows)
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 appliesto: 
   - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows)
 description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 10/23/2017
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

windows/security/identity-protection/hello-for-business/index.yml

@@ -16,6 +16,7 @@ metadata:
   ms.date: 01/22/2021
   ms.collection:
     - highpri
+    - tier1
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new