Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into wn-21H1

windows/application-management/manage-windows-mixed-reality.md

@@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
 
 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
 
-   1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
+   1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
 
       > [!NOTE]
       > You must download the FOD .cab file that matches your operating system version.
@@ -99,4 +99,4 @@ In the following example, the **Id** can be any generated GUID and the **Name**
 
 ## Related topics
 
-- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
+- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)

windows/client-management/mdm/policy-csp-experience.md

@@ -76,6 +76,9 @@ manager: dansimp
   <dd>
     <a href="#experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
   </dd>
+  <dd>
+    <a href="#experience-configurechaticonvisibilityonthetaskbar">Experience/ConfigureChatIcon</a>
+  </dd>
   <dd>
     <a href="#experience-disablecloudoptimizedcontent">Experience/DisableCloudOptimizedContent</a>
   </dd>
@@ -1219,6 +1222,65 @@ The following list shows the supported values:
 <!--/SupportedValues-->
 <!--/Policy-->
 
+<!--Policy-->
+<a href="" id="experience-configurechaticonvisibilityonthetaskbar"></a>**Experience/ConfigureChatIcon**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Specifies whether to allow "Chat" on the Taskbar.
+
+<!--/Description-->
+<!--SupportedValues-->
+The values for this policy are 0, 1, 2 and 3. This policy defaults to 0.
+
+0 - Default: The Chat icon will be displayed or hidden on the taskbar based on account type. Users can show or hide it in Settings.
+1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.
+2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
+3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="experience-disablecloudoptimizedcontent"></a>**Experience/DisableCloudOptimizedContent**  
 
@@ -1636,4 +1698,4 @@ Footnotes:
 - 8 - Available in Windows 10, version 2004.
 - 9 - Available in Windows 10, version 20H2.
 
-<!--/Policies-->
+<!--/Policies-->

windows/deployment/update/update-compliance-configuration-manual.md

@@ -31,9 +31,6 @@ The requirements are separated into different categories:
 
 ## Required policies
 
-> [!NOTE]
-> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
-
 Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
 
 - **Policy** corresponds to the location and name of the policy.

windows/deployment/update/update-compliance-configuration-script.md

@@ -18,9 +18,12 @@ ms.topic: article
 # Configuring devices through the Update Compliance Configuration Script
 
 > [!NOTE]
-> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. 
+> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured. 
 
-The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more.
+
+> [!NOTE]
+> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. 
 
 You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 

windows/deployment/update/waas-delivery-optimization.md

@@ -132,39 +132,44 @@ For more details, check out the [Adopting Windows as a Service at Microsoft](htt
 
 ## Frequently asked questions
 
-**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
+#### Does Delivery Optimization work with WSUS?
+Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
 
-**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
+#### Which ports does Delivery Optimization use?
+Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
 
 If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
 
 Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
 
 
-**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update).
+#### What are the requirements if I use a proxy?
+For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update).
 
-**What hostnames should I allow through my firewall to support Delivery Optimization?**: 
+#### What hostnames should I allow through my firewall to support Delivery Optimization?
 
 For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
 
-For Delivery Optimization metadata: 
+**For Delivery Optimization metadata**:
 
 - *.dl.delivery.mp.microsoft.com
 - *.emdl.ws.microsoft.com
 
-For the payloads (optional):
+**For the payloads (optional)**:
 
 - *.download.windowsupdate.com 
 - *.windowsupdate.com
 
-**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
+#### Does Delivery Optimization use multicast?
+No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
 
-**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
+#### How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
+Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
 
-**How does Delivery Optimization handle VPNs?**
+#### How does Delivery Optimization handle VPNs?
 Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
 
-If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn)	policy.
+If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
 
 If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
 
@@ -186,6 +191,14 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro
 
 For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
 
+
+#### How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
+Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
+
+> [!NOTE]
+> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
+
+
 ## Troubleshooting
 
 This section summarizes common problems and some solutions to try.

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md

@@ -8,14 +8,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 05/06/2021
+ms.date: 05/12/2021
-ms.reviewer: 
+ms.reviewer:
 manager: dansimp
 ms.custom: asr
 ms.technology: mde
 ---
 
-# Frequently asked questions - Microsoft Defender Application Guard 
+# Frequently asked questions - Microsoft Defender Application Guard
 
 **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
@@ -27,37 +27,38 @@ This article lists frequently asked questions with answers for Microsoft Defende
 
 We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 
-`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)                                                   
+`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
 
 `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
 
 `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
 
-### Can employees download documents from the Application Guard Edge session onto host devices? 
+### Can employees download documents from the Application Guard Edge session onto host devices?
 
 In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
 
-In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. 
+In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
 
-### Can employees copy and paste between the host device and the Application Guard Edge session? 
+### Can employees copy and paste between the host device and the Application Guard Edge session?
 
-Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. 
+Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
 
 ### Why don't employees see their favorites in the Application Guard Edge session?
 
-Depending on your organization’s settings, it might be that Favorites Sync is off. To managed the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
+Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
 
 ### Why aren’t employees able to see their extensions in the Application Guard Edge session?
 
 Make sure to enable the extensions policy on your Application Guard configuration.
 
-### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? 
+### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
 
-Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
+Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
 
-### Which Input Method Editors (IME) in 19H1 are not supported? 
+### Which Input Method Editors (IME) in 19H1 are not supported?
+
+The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
 
-The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
 - Vietnam Telex keyboard
 - Vietnam number key-based keyboard
 - Hindi phonetic keyboard
@@ -71,25 +72,25 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
 - Odia phonetic keyboard
 - Punjabi phonetic keyboard
 
-### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? 
+### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
 
 This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
 
-### What is the WDAGUtilityAccount local account? 
+### What is the WDAGUtilityAccount local account?
 
-WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: 
+WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
 
 **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
 
 We recommend that you do not modify this account.
 
-### How do I trust a subdomain in my site list?                          
+### How do I trust a subdomain in my site list?
 
 To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
 
-### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? 
+### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
 
-When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). 
+When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
 
 ### Is there a size limit to the domain lists that I need to configure?
 
@@ -97,7 +98,7 @@ Yes, both the Enterprise Resource domains that are hosted in the cloud and the d
 
 ### Why does my encryption driver break Microsoft Defender Application Guard?
 
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).  
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
 
 ### Why do the Network Isolation policies in Group Policy and CSP look different?
 
@@ -109,45 +110,57 @@ There is not a one-to-one mapping among all the Network Isolation policies betwe
 
 - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
 
-Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). 
+Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
 
 ### Why did Application Guard stop working after I turned off hyperthreading?
 
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. 
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
 
 ### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
 
-Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. 
+Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
 
-### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
+### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
+
+This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
 
-This is a known issue. To mitigate this you need to create two firewall rules.
-For guidance on how to create a firewall rule by using group policy, see:
 - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
 - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
 
-First rule (DHCP Server):
+#### First rule (DHCP Server)
 1. Program path: `%SystemRoot%\System32\svchost.exe`
+
 2. Local Service: `Sid:  S-1-5-80-2009329905-444645132-2728249442-922493431-93864177  (Internet Connection Service (SharedAccess))`
+
 3. Protocol UDP
+
 4. Port 67
 
-Second rule (DHCP Client)
+#### Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68.
+This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-In the Microsoft Defender Firewall user interface go through the following steps:
+
 1. Right-click on inbound rules, and then create a new rule.
+
 2. Choose **custom rule**.
+
 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
+
 4. Specify the following settings:
     - Protocol Type: UDP
     - Specific ports: 67
     - Remote port: any
-6. Specify any IP addresses.
+
-7. Allow the connection.
+5. Specify any IP addresses.
-8. Specify to use all profiles.
+
-9. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+6. Allow the connection.
-10. In the **Programs and services** tab, under the **Services** section, select **settings**. 
+
-11. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+7. Specify to use all profiles.
+
+8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+
+9. In the **Programs and services** tab, under the **Services** section, select **settings**.
+
+10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
 
 ### Why can I not launch Application Guard when Exploit Guard is enabled?
 
@@ -157,9 +170,9 @@ There is a known issue such that if you change the Exploit Protection settings f
 
 ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
 
-1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 
+1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
 
-2. Disable IpNat.sys from ICS load as follows: <br/> 
+2. Disable IpNat.sys from ICS load as follows: <br/>
 `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
 
 3. Configure ICS (SharedAccess) to enabled as follows: <br/>
@@ -172,27 +185,26 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
 
 ### Why doesn't the container fully load when device control policies are enabled?
 
-Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. 
+Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
 
-Policy: Allow installation of devices that match any of these device IDs 
+Policy: Allow installation of devices that match any of the following device IDs:
-- `SCSI\DiskMsft____Virtual_Disk____` 
+
-- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` 
+- `SCSI\DiskMsft____Virtual_Disk____`
-- `VMS_VSF` 
+- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
-- `root\Vpcivsp` 
+- `VMS_VSF`
-- `root\VMBus` 
+- `root\Vpcivsp`
-- `vms_mp` 
+- `root\VMBus`
-- `VMS_VSP` 
+- `vms_mp`
+- `VMS_VSP`
 - `ROOT\VKRNLINTVSP`
-- `ROOT\VID` 
+- `ROOT\VID`
-- `root\storvsp` 
+- `root\storvsp`
-- `vms_vsmp` 
+- `vms_vsmp`
-- `VMS_PP` 
+- `VMS_PP`
 
-Policy: Allow installation of devices using drivers that match these device setup classes 
+Policy: Allow installation of devices using drivers that match these device setup classes
 - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
 
-
-
 ## See also
 
 [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)