diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index fbdd7913a0..2c20894dcf 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -8,9 +8,9 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: manikadhiman
+author: dansimp
 ms.localizationpriority: medium
-ms.date: 08/11/2020
+ms.date: 06/02/2021
 ---
 
 # Defender CSP
@@ -56,8 +56,8 @@ Defender
 --------TamperProtectionEnabled (Added in Windows 10, version 1903)
 --------IsVirtualMachine (Added in Windows 10, version 1903)
 ----Configuration (Added in Windows 10, version 1903)
---------TamperProetection (Added in Windows 10, version 1903)
---------EnableFileHashcomputation (Added in Windows 10, version 1903)
+--------TamperProtection (Added in Windows 10, version 1903)
+--------EnableFileHashComputation (Added in Windows 10, version 1903)
 --------SupportLogLocation (Added in the next major release of Windows 10)
 ----Scan
 ----UpdateSignature
@@ -491,7 +491,7 @@ Supported operations are Add, Delete, Get, Replace.
 
 <a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**  
 Enables or disables file hash computation feature.
-When this feature is enabled Windows defender will compute hashes for files it scans.
+When this feature is enabled Windows Defender will compute hashes for files it scans.
 
 The data type is integer.
 
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 75c2d3f601..9e1150cd20 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date:
+ms.date: 06/02/2021
 ms.reviewer:
 manager: dansimp
 ---
@@ -18,9 +18,9 @@ Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto
 The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
 
 Requirements:
-- AD-joined PC running Windows 10, version 1709 or later
+- Active Directory-joined PC running Windows 10, version 1709 or later
 - The enterprise has configured a mobile device management (MDM) service
-- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
+- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
 - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
 
@@ -195,6 +195,8 @@ Requirements:
    
    - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
 
+   - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
+
 2. Install the package on the Domain Controller.
 
 3. Navigate, depending on the version to the folder:
@@ -211,6 +213,8 @@ Requirements:
    
    - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
 
+   - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
+
 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
 
 5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
@@ -294,7 +298,7 @@ To collect Event Viewer logs:
 - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
 
 ### Useful Links
-
+- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
 - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index d62b5b232d..1b75bd9a6b 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -542,7 +542,7 @@ Value type is integer. Supported values:
 > [!Warning]
 > This policy is in preview mode only and therefore not meant or recommended for production purposes.
 
-"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). 
+"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
 
 > [!Note]
 > Web Sign-in is only supported on Azure AD Joined PCs.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 61558a2ca2..c23eade407 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -740,19 +740,13 @@ In Windows 10, you can configure this policy setting to decide what level of dia
 
 The following list shows the supported values for Windows 10 version 1809 and older:
 
--   0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
-    **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
--   1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
--   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
--   3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+-   0 – (**Security**) This turns Windows diagnostic data off.  
+    **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
+-   1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
+-   2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
+-   3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
 
-Most restricted value is 0.
-
-The following list shows the supported values for  Windows 10 version 19H1 and later:
-
--   **Diagnostic data off** - No Windows diagnostic data sent.
--   **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
--   **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+Most restrictive value is 0.
 
 <!--<table style="margin-left: 20px">
 <colgroup>
@@ -1614,13 +1608,13 @@ To enable this behavior, you must complete two steps:
 
 -   Enable this policy setting
 -   Set the **AllowTelemetry** level:
-    - For Windows 10 version 1809 and older: set **AllowTelemetry** to (Enhanced) 
+    - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced
     - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
 
  
 When you configure these policy settings, a basic level of  diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: <a href="/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields" data-raw-source="[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)">Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics</a>.
  
-Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
+Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
    
 If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
 
@@ -1785,4 +1779,4 @@ Footnotes:
 - 7 - Available in Windows 10, version 1909.
 - 8 - Available in Windows 10, version 2004.
 
-<!--/Policies-->
\ No newline at end of file
+<!--/Policies-->
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index c8a3334ac2..487cf680c0 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -193,6 +193,8 @@
                     href: update/update-compliance-configuration-script.md
                   - name: Manually configuring devices for Update Compliance
                     href: update/update-compliance-configuration-manual.md
+                  - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
+                    href: update/update-compliance-configuration-mem.md
               - name: Update Compliance monitoring
                 items: 
                   - name: Use Update Compliance
@@ -541,4 +543,4 @@
                   href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
 
         - name: Install fonts in Windows 10
-          href: windows-10-missing-fonts.md
\ No newline at end of file
+          href: windows-10-missing-fonts.md
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index e3accdee77..771a7648f8 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -53,7 +53,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
 
 If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. 
 
-%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
+**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini**
 
 ```
 [SetupConfig]
@@ -62,7 +62,7 @@ Priority=Normal
 
 You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. 
 
-```
+```powershell
 #Parameters
 Param(
   [string] $PriorityValue = "Normal"
@@ -91,6 +91,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys)
 #Write content to file 
 New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force
 
+<#
 Disclaimer 
 Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is 
 provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without 
@@ -100,162 +101,164 @@ Microsoft, its authors, or anyone else involved in the creation, production, or
 for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, 
 loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script 
 or documentation, even if Microsoft has been advised of the possibility of such damages.
+#>
 ```
 
->[!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
+> [!NOTE]
+> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
 
 ## Manually deploy feature updates
 
 The following sections provide the steps to manually deploy a feature update.
 
 ### Step 1: Specify search criteria for feature updates
-There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. 
+There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy.
 
-1. In the Configuration Manager console, click **Software Library**. 
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 
+1. In the Configuration Manager console, click **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
-   - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. 
+   - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
    - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English.
 
-4. Save the search for future use. 
+4. Save the search for future use.
 
-### Step 2: Download the content for the feature update(s)
-Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 
+### Step 2: Download the content for the feature updates
+Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
 
-1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 
-2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download.
+1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
+2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
 
-   The **Download Software Updates Wizard** opens. 
-3. On the **Deployment Package** page, configure the following settings: 
-   **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: 
-     - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. 
-     - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. 
-     - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
+   The **Download Software Updates Wizard** opens.
+3. On the **Deployment Package** page, configure the following settings:
+   **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
+     - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
+     - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
+     - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
 
-   >[!NOTE]
-   >The deployment package source location that you specify cannot be used by another software deployment package. 
+   > [!NOTE]
+   > The deployment package source location that you specify cannot be used by another software deployment package.
 
-   >[!IMPORTANT]
-   >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
+   > [!IMPORTANT]
+   > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
 
-   >[!IMPORTANT]
-   >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
+   > [!IMPORTANT]
+   > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
 
-   Click **Next**. 
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). 
+   Click **Next**.
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
 
-   >[!NOTE]
-   >The Distribution Points page is available only when you create a new software update deployment package. 
-5. On the **Distribution Settings** page, specify the following settings: 
+   > [!NOTE]
+   > The Distribution Points page is available only when you create a new software update deployment package.
+5. On the **Distribution Settings** page, specify the following settings:
 
-   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. 
-   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
-   - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: 
-     - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. 
+   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
+   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+   - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
+     - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
      - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
-     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. 
-      
-     For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). 
-   Click **Next**. 
-6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: 
+     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
+
+     For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
+   Click **Next**.
+6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
 
    - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
-   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. 
-   
-     >[!NOTE]
-     >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
+   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
 
-   Click **Next**. 
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. 
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. 
+     > [!NOTE]
+     > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
+
+   Click **Next**.
+7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
+8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
+9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close.
 
 #### To monitor content status
-1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. 
-2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. 
-3. Select the feature update package that you previously identified to download the feature updates. 
+1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
+2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
+3. Select the feature update package that you previously identified to download the feature updates.
 4. On the **Home** tab, in the Content group, click **View Status**.
 
-### Step 3: Deploy the feature update(s) 
-After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). 
+### Step 3: Deploy the feature update(s)
+After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
 
-1. In the Configuration Manager console, click **Software Library**. 
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 
+1. In the Configuration Manager console, click **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
 
-   The **Deploy Software Updates Wizard** opens. 
-4. On the General page, configure the following settings: 
-   - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \<date\>\<time\>** 
-   - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. 
-   - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. 
-   - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. 
-   - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. 
-5. On the Deployment Settings page, configure the following settings: 
+   The **Deploy Software Updates Wizard** opens.
+4. On the General page, configure the following settings:
+   - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \<date\>\<time\>**
+   - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default.
+   - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct.
+   - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time.
+   - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment.
+5. On the Deployment Settings page, configure the following settings:
 
-   - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. 
-   
-     >[!IMPORTANT]
-     > After you create the software update deployment, you cannot later change the type of deployment. 
-   
-     >[!NOTE]
-     >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
+   - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline.
 
-   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. 
+     > [!IMPORTANT]
+     > After you create the software update deployment, you cannot later change the type of deployment.
 
-     >[!WARNING]
-     >Before you can use this option, computers and networks must be configured for Wake On LAN. 
+     > [!NOTE]
+     > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
 
-   - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 
+   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required.
+
+     > [!WARNING]
+     > Before you can use this option, computers and networks must be configured for Wake On LAN.
+
+   - **Detail level**: Specify the level of detail for the state messages that are reported by client computers.
 6. On the Scheduling page, configure the following settings:
 
-   - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. 
-   
-     >[!NOTE]
-     >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. 
+   - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
 
-   - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: 
-     - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. 
-   - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. 
-   
-     >[!NOTE]
-     >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
+     > [!NOTE]
+     > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time.
 
-   - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. 
+   - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients:
+     - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation.
+   - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
 
-   >[!NOTE]
-   >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). 
-7. On the User Experience page, configure the following settings: 
-   - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. 
-   - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). 
-   - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. 
+     > [!NOTE]
+     > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page.
 
-     >[!IMPORTANT]
-     >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
-   - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. 
+   - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links.
 
-     >[!NOTE]
-     >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 
-   - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 
-8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
+   > [!NOTE]
+   > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent).
+7. On the User Experience page, configure the following settings:
+   - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**.
+   - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows).
+   - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation.
 
-   >[!NOTE]
-   >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 
-9. On the Download Settings page, configure the following settings: 
-   - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. 
-   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. 
-   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). 
+     > [!IMPORTANT]
+     > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
+   - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device.
+
+     > [!NOTE]
+     > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
+   - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
+8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
+
+   > [!NOTE]
+   > You can review recent software updates alerts from the Software Updates node in the Software Library workspace.
+9. On the Download Settings page, configure the following settings:
+   - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
+   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
+   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
    - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
-   - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. 
+   - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
 
-     >[!NOTE]
-     >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
-10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 
-11. Click **Next** to deploy the feature update(s). 
+     > [!NOTE]
+     > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority).
+10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
+11. Click **Next** to deploy the feature update(s).
 
 ### Step 4: Monitor the deployment status
+
 After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
 
-1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. 
-2. Click the software update group or software update for which you want to monitor the deployment status. 
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
\ No newline at end of file
+1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
+2. Click the software update group or software update for which you want to monitor the deployment status.
+3. On the **Home** tab, in the **Deployment** group, click **View Status**.
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index ccdb293504..10b6032442 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -41,16 +41,13 @@ Update Compliance has a number of policies that must be appropriately configured
 
 Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
 
-| Policy | Value | Function |
-|---------------------------|-|------------------------------------------------------------|
-|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
-| **System/AllowUpdateComplianceProcessing** | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
-
-> [!NOTE]
-> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp).
+| Policy | Data type | Value | Function |
+|--------------------------|-|-|------------------------------------------------------------|
+|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
 
 ### Group policies
 
@@ -89,6 +86,6 @@ Census is a service that runs on a regular schedule on Windows devices. A number
 
 A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
 
-1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 
+1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. 
 2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. 
 3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
new file mode 100644
index 0000000000..01de3567bf
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -0,0 +1,77 @@
+---
+title: Configuring Microsoft Endpoint Manager devices for Update Compliance
+ms.reviewer: 
+manager: laurawi
+description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Configuring Microsoft Endpoint Manager devices for Update Compliance
+
+> [!NOTE]
+> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
+
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+
+1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 
+2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. 
+3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). 
+
+## Create a configuration profile
+
+Take the following steps to create a configuration profile that will set required policies for Update Compliance:
+
+1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
+2. On the **Configuration profiles** view, select **Create a profile**.
+3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
+4. For **Template name**, select **Custom**, and then press **Create**.
+5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
+6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
+    1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
+    2. Add a setting for **Commercial ID** ) with the following values:
+        - **Name**: Commercial ID
+        - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
+        - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
+        - **Data type**: String
+        - **Value**: *Set this to your Commercial ID*
+    2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
+        - **Name**: Allow Telemetry
+        - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
+        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
+        - **Data type**: Integer
+        - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
+    3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
+        - **Name**: Disable Telemetry opt-in interface
+        - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
+        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
+        - **Data type**: Integer
+        - **Value**: 1
+    4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
+        - **Name**: Allow device name in Diagnostic Data
+        - **Description**: Allows device name in Diagnostic Data.
+        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
+        - **Data type**: Integer
+        - **Value**: 1
+    5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: 
+        - **Name**: Allow Update Compliance Processing
+        - **Description**: Opts device data into Update Compliance processing. Required to see data. 
+        - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
+        - **Data type**: Integer
+        - **Value**: 16
+7.  Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. 
+8. Review and select **Create**. 
+
+## Deploy the configuration script
+
+The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). 
+
+When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. 
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 2bdf88323c..085bf545d6 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -18,22 +18,15 @@ ms.topic: article
 # Configuring devices through the Update Compliance Configuration Script
 
 > [!NOTE]
-> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured. 
+> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
 
-The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more.
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. 
 
 > [!NOTE]
-> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. 
+> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly. 
 
 You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 
-## Script FAQ
-
-- I manage my devices with MDM. Should I use this script?
-No, you should not use this script. Instead configure the policies through your MDM provider. 
-- Does this script configure devices for Delivery Optimization?
-No. You must do that separately.
-
 ## How this script is organized
 
 This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. 
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index a224816f2b..f1c18585dd 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp
 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
 3. [Configure devices](#enroll-devices-in-update-compliance)  to send data to Update Compliance.
 
-After adding the solution to Azure and configuring devices, it could take up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
+After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
 
 ## Update Compliance prerequisites
 
@@ -100,10 +100,11 @@ To find your CommercialID within Azure:
 
 ## Enroll devices in Update Compliance
 
-Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance:
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
 
-- If you use Group Policy to manage device policies, use the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
-- If you manage devices through MDM providers like Intune, [manually configure device for Update Compliance](update-compliance-configuration-manual.md).
+1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
+2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
+3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
 
 After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 7f1681e846..23b3637f84 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -276,11 +276,6 @@ The following fields are available:
 - **DatasourceApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CO21H2**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS3**  The total number of objects of this type present on this device.
@@ -294,11 +289,6 @@ The following fields are available:
 - **DatasourceDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CO21H2**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS3**  The total number of objects of this type present on this device.
@@ -315,11 +305,6 @@ The following fields are available:
 - **DatasourceDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CO21H2**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS3**  The total number of objects of this type present on this device.
@@ -336,11 +321,6 @@ The following fields are available:
 - **DataSourceMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CO21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@@ -354,11 +334,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CO21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@@ -372,11 +347,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CO21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@@ -391,11 +361,6 @@ The following fields are available:
 - **DatasourceSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CO21H2**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS3**  The total number of objects of this type present on this device.
@@ -412,11 +377,6 @@ The following fields are available:
 - **DecisionApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS3**  The total number of objects of this type present on this device.
@@ -430,11 +390,6 @@ The following fields are available:
 - **DecisionDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS3**  The total number of objects of this type present on this device.
@@ -451,11 +406,6 @@ The following fields are available:
 - **DecisionDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS3**  The total number of objects of this type present on this device.
@@ -472,11 +422,6 @@ The following fields are available:
 - **DecisionMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@@ -490,11 +435,6 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@@ -508,11 +448,6 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@@ -526,11 +461,6 @@ The following fields are available:
 - **DecisionMediaCenter_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS3**  The total number of objects of this type present on this device.
@@ -540,11 +470,6 @@ The following fields are available:
 - **DecisionMediaCenter_TH2**  The total number of objects of this type present on this device.
 - **DecisionSModeState_20H1**  The total number of objects of this type present on this device.
 - **DecisionSModeState_21H1**  The total number of objects of this type present on this device.
-- **DecisionSModeState_21H2**  The total number of objects of this type present on this device.
-- **DecisionSModeState_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSModeState_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSModeState_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSModeState_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19ASetup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1Setup**  The total number of objects of this type present on this device.
@@ -552,11 +477,6 @@ The following fields are available:
 - **DecisionSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS3**  The total number of objects of this type present on this device.
@@ -569,49 +489,20 @@ The following fields are available:
 - **DecisionSystemBios_TH2**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemDiskSize_21H1**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemMemory_21H1**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessor_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuCores_21H1**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuModel_21H1**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemProcessorCpuSpeed_21H1**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_19H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_21H2**  The total number of objects of this type present on this device.
-- **DecisionTest_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionTest_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_RS1**  The total number of objects of this type present on this device.
 - **DecisionTest_RS2**  The total number of objects of this type present on this device.
 - **DecisionTest_RS3**  The total number of objects of this type present on this device.
@@ -621,18 +512,8 @@ The following fields are available:
 - **DecisionTest_TH2**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_20H1**  The total number of objects of this type present on this device.
 - **DecisionTpmVersion_21H1**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_21H2**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_20H1**  The total number of objects of this type present on this device.
 - **DecisionUefiSecureBoot_21H1**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_21H2**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CO21H2**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CU22H2Setup**  The total number of objects of this type present on this device.
 - **InventoryApplicationFile**  The total number of objects of this type present on this device.
 - **InventoryDeviceContainer**  The total number of objects of this type present on this device.
 - **InventoryDevicePnp**  The total number of objects of this type present on this device.
@@ -662,11 +543,6 @@ The following fields are available:
 - **Wmdrm_20H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_21H2**  The total number of objects of this type present on this device.
-- **Wmdrm_21H2Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_CO21H2**  The total number of objects of this type present on this device.
-- **Wmdrm_CO21H2Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_CU22H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_RS1**  The total number of objects of this type present on this device.
 - **Wmdrm_RS2**  The total number of objects of this type present on this device.
 - **Wmdrm_RS3**  The total number of objects of this type present on this device.
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 692cfa0a09..9514d43951 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
 
 ## Behaviorial changes
 
-In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
+In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
 
 Additionally, you will see the following policy changes in an upcoming release of Windows 10:
 
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 67158554c1..fdaf967827 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,5 +1,5 @@
 ---
-description: Use this article to learn more about what required Windows diagnostic data is gathered.
+description: Learn what required Windows diagnostic data is gathered.
 title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
 keywords: privacy, telemetry
 ms.prod: w10
@@ -64,10 +64,6 @@ The following fields are available:
 - **DatasourceApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DatasourceApplicationFile_RS3**  The total number of objects of this type present on this device.
@@ -81,10 +77,6 @@ The following fields are available:
 - **DatasourceDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDevicePnp_RS3**  The total number of objects of this type present on this device.
@@ -100,10 +92,6 @@ The following fields are available:
 - **DatasourceDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DatasourceDriverPackage_RS3**  The total number of objects of this type present on this device.
@@ -119,10 +107,6 @@ The following fields are available:
 - **DataSourceMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@@ -136,10 +120,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@@ -153,10 +133,6 @@ The following fields are available:
 - **DataSourceMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DataSourceMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@@ -170,10 +146,6 @@ The following fields are available:
 - **DatasourceSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_21H1Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DatasourceSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DatasourceSystemBios_RS3**  The total number of objects of this type present on this device.
@@ -189,10 +161,6 @@ The following fields are available:
 - **DecisionApplicationFile_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionApplicationFile_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS1**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS2**  The total number of objects of this type present on this device.
 - **DecisionApplicationFile_RS3**  The total number of objects of this type present on this device.
@@ -206,10 +174,6 @@ The following fields are available:
 - **DecisionDevicePnp_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDevicePnp_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS1**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS2**  The total number of objects of this type present on this device.
 - **DecisionDevicePnp_RS3**  The total number of objects of this type present on this device.
@@ -225,10 +189,6 @@ The following fields are available:
 - **DecisionDriverPackage_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionDriverPackage_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS1**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS2**  The total number of objects of this type present on this device.
 - **DecisionDriverPackage_RS3**  The total number of objects of this type present on this device.
@@ -244,10 +204,6 @@ The following fields are available:
 - **DecisionMatchingInfoBlock_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoBlock_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoBlock_RS3**  The total number of objects of this type present on this device.
@@ -261,10 +217,6 @@ The following fields are available:
 - **DecisionMatchingInfoPassive_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPassive_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPassive_RS3**  The total number of objects of this type present on this device.
@@ -278,10 +230,6 @@ The following fields are available:
 - **DecisionMatchingInfoPostUpgrade_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMatchingInfoPostUpgrade_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS1**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS2**  The total number of objects of this type present on this device.
 - **DecisionMatchingInfoPostUpgrade_RS3**  The total number of objects of this type present on this device.
@@ -295,10 +243,6 @@ The following fields are available:
 - **DecisionMediaCenter_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionMediaCenter_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS2**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_RS3**  The total number of objects of this type present on this device.
@@ -306,19 +250,12 @@ The following fields are available:
 - **DecisionMediaCenter_RS5**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_TH1**  The total number of objects of this type present on this device.
 - **DecisionMediaCenter_TH2**  The total number of objects of this type present on this device.
-- **DecisionSModeState_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSModeState_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSModeState_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_19H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_20H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemBios_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS2**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_RS3**  The total number of objects of this type present on this device.
@@ -328,29 +265,11 @@ The following fields are available:
 - **DecisionSystemBios_RS5Setup**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_TH1**  The total number of objects of this type present on this device.
 - **DecisionSystemBios_TH2**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemDiskSize_CU22H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemMemory_CU22H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuCores_CU22H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuModel_CU22H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionSystemProcessorCpuSpeed_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_19H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1**  The total number of objects of this type present on this device.
 - **DecisionTest_20H1Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1**  The total number of objects of this type present on this device.
 - **DecisionTest_21H1Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_21H2**  The total number of objects of this type present on this device.
-- **DecisionTest_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTest_CU22H2Setup**  The total number of objects of this type present on this device.
 - **DecisionTest_RS1**  The total number of objects of this type present on this device.
 - **DecisionTest_RS2**  The total number of objects of this type present on this device.
 - **DecisionTest_RS3**  The total number of objects of this type present on this device.
@@ -358,12 +277,6 @@ The following fields are available:
 - **DecisionTest_RS5**  The total number of objects of this type present on this device.
 - **DecisionTest_TH1**  The total number of objects of this type present on this device.
 - **DecisionTest_TH2**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionTpmVersion_CU22H2Setup**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CO21H2Setup**  The total number of objects of this type present on this device.
-- **DecisionUefiSecureBoot_CU22H2Setup**  The total number of objects of this type present on this device.
 - **InventoryApplicationFile**  The total number of objects of this type present on this device.
 - **InventoryLanguagePack**  The total number of objects of this type present on this device.
 - **InventoryMediaCenter**  The total number of objects of this type present on this device.
@@ -387,10 +300,6 @@ The following fields are available:
 - **Wmdrm_20H1Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1**  The total number of objects of this type present on this device.
 - **Wmdrm_21H1Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_21H2**  The total number of objects of this type present on this device.
-- **Wmdrm_21H2Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_CO21H2Setup**  The total number of objects of this type present on this device.
-- **Wmdrm_CU22H2Setup**  The total number of objects of this type present on this device.
 - **Wmdrm_RS1**  The total number of objects of this type present on this device.
 - **Wmdrm_RS2**  The total number of objects of this type present on this device.
 - **Wmdrm_RS3**  The total number of objects of this type present on this device.
@@ -4130,7 +4039,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@@ -4162,7 +4071,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@@ -4195,7 +4104,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See (experimentationandconfigurationservicecontrol)[/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol] for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@@ -4228,7 +4137,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [#experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@@ -4342,7 +4251,7 @@ The following fields are available:
 - **container_session_id**  The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
 - **Etag**  Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy.
+- **experimentation_mode**  A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [experimentationandconfigurationservicecontrol](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy.
 - **install_date**  The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
 - **installSource**  An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
 - **installSourceName**  A string representation of the installation source.
@@ -6355,7 +6264,7 @@ The following fields are available:
 
 ### Microsoft.Windows.WERVertical.OSCrash
 
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
 
 The following fields are available:
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index d867b494ec..28ff8d49c6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized.  You need A
   
 Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
  
+> [!NOTE]
+> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
+
 > [!NOTE]
 > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
  
@@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration,
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 4f7f59f8ff..5a04348f87 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -26,9 +26,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th
 
 Most ransomware infections start with:
 
-* Email messages with attachments that try to install ransomware.
+- Email messages with attachments that try to install ransomware.
 
-* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
+- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
 
 Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
 
@@ -38,11 +38,11 @@ Ransomware is one of the most lucrative revenue channels for cybercriminals, so
 
 Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
 
-* Spora drops ransomware copies in network shares.
+- Spora drops ransomware copies in network shares.
 
-* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. 
+- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. 
 
-* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
+- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
 
 Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid.
 
@@ -52,16 +52,26 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty
 
 ## How to protect against ransomware
 
- Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms.
+Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms.
 
-We recommend:
+To provide the best protection against ransomware attacks, Microsoft recommends that you:
 
-* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.  
+- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.  
 
-* Apply the latest updates to your operating systems and apps.
+- Apply the latest updates to your operating systems and apps.
 
-* Educate your employees so they can identify social engineering and spear-phishing attacks.
+- Educate your employees so they can identify social engineering and spear-phishing attacks.
 
-* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
+- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
 
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+
+## Human-operated ransomware
+
+Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go.
+
+Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands.
+
+The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware).
+
+See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 3662667af2..2a578d07ab 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 - Windows 10 security baselines
-    - Windows 10 Version 20H2 (October 2020 Update)
-    - Windows 10 Version 2004 (May 2020 Update)
-    - Windows 10 Version 1909 (November 2019 Update)
-    - Windows 10 Version 1809 (October 2018 Update)
-    - Windows 10 Version 1803 (April 2018 Update)
-    - Windows 10 Version 1607 (Anniversary Update)
-    - Windows 10 Version 1507
+    - Windows 10, Version 21H1 (May 2021 Update)
+    - Windows 10, Version 20H2 (October 2020 Update)
+    - Windows 10, Version 2004 (May 2020 Update)
+    - Windows 10, Version 1909 (November 2019 Update)
+    - Windows 10, Version 1809 (October 2018 Update)
+    - Windows 10, Version 1607 (Anniversary Update)
+    - Windows 10, Version 1507
 
 - Windows Server security baselines
     - Windows Server 2019
@@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of:
     - Windows Server 2012 R2
 
 - Microsoft Office security baseline
-    - Microsoft 365 Apps for enterprise (Sept 2019)
+    - Microsoft 365 Apps for enterprise, Version 2104
 
 - Microsoft Edge security baseline
     - Version 88
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 716b1da171..671eb87720 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -74,17 +74,18 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. 
 
 ### Countermeasure
 
-Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
+Set this policy to *Disabled* or don't configure this security policy for *on-premises only* environments.
 
 ### Potential impact
 
-If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
+If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
+
+If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
 
-Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index b7dcbcddd8..29d54546be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
 -   In addition to other measures, you need to control the access to sensitive data through app usage.
 
 > [!NOTE]
-> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
 
 AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
 
@@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base
 | [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
 | [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
 | [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 57043da075..c97df0f805 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 3/17/2020
+ms.date: 06/02/2021
 ms.technology: mde
 ---
 
@@ -22,14 +22,14 @@ ms.technology: mde
 
 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
 
-- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
+- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
 
-- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
+- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
 
 ## Microsoft Windows CodeIntegrity Operational log event IDs
 
 | Event ID | Explanation |
-|---|----------|
+|--------|-----------|
 | 3076 | Audit executable/dll file |
 | 3077 | Block executable/dll file |
 | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
@@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 ## Microsoft Windows AppLocker MSI and Script log event IDs
 
 | Event ID | Explanation |
-|---|----------|
+|--------|-----------|
 | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
 | 8029 | Block script/MSI file |
 | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
@@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information.
 
 | Event ID | Explanation |
-|---|----------|
+|--------|---------|
 | 3090 | Allow executable/dll file |
 | 3091 | Audit executable/dll file |
 | 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
 Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates.
 
 | Name | Explanation |
-|---|----------|
+|------|------|
 | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
 | ManagedInstallerEnabled | Policy trusts a MI |
 | PassesManagedInstaller | File originated from a trusted MI |
@@ -81,3 +81,43 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
 ```powershell
 reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
 ```
+
+## Appendix
+A list of other relevant event IDs and their corresponding description.
+
+| Event ID | Description |
+|-------|------|
+| 3001 | An unsigned driver was attempted to load on the system. | 
+| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
+| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3010 | The catalog containing the signature for the file under validation is invalid. |
+| 3011 | Code Integrity finished loading the signature catalog. |
+| 3012 | Code Integrity started loading the signature catalog. |
+| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3024 | Windows application control was unable to refresh the boot catalog file. |
+| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
+| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. | 
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. | 
+| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | 
+| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
+| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
+| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
+| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | 
+| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
+| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
+| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
+| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | 
+| 3097 | The Code Integrity policy cannot be refreshed. | 
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Code Integrity started refreshing the policy. | 
+| 3102 | Code Integrity finished refreshing the policy. | 
+| 3103 | Code Integrity is ignoring the policy refresh. | 
+| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | 
+| 3105 | Code Integrity is attempting to refresh the policy. | 
+| 3108 | Windows mode change event was successful. |
+| 3110 | Windows mode change event was unsuccessful. |
+| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 74b961fb89..cd82d2c618 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -484,9 +484,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or
 
 ### Windows Insider for Business
 
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
 
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
 
 
 ### Optimize update delivery
@@ -642,4 +642,4 @@ See the following example:
 
 ## See Also
 
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
\ No newline at end of file
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.